{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ssh/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux","SSH"],"_cs_severities":["high"],"_cs_tags":["persistence","ssh","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers targeting Linux systems may establish persistence by compromising existing system user accounts and adding unauthorized SSH keys. This method allows them to bypass standard authentication procedures and regain access to the system even after password resets. While the specific campaigns leveraging this technique are currently unclear, the risk is significant, as it grants persistent access and is difficult to detect without specific monitoring in place. The use of backdoored system users circumvents typical multi-factor authentication and account lockout policies, potentially granting long-term access to sensitive data and systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Attacker gains initial access through an unstated vector (e.g., exploiting a web application vulnerability, or using stolen credentials).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to root or a privileged user, potentially using exploits (e.g., Dirty Pipe) or misconfigurations.\u003c/li\u003e\n\u003cli\u003eAccount Discovery: The attacker identifies potential system user accounts to backdoor (e.g., accounts without passwords or with weak passwords).\u003c/li\u003e\n\u003cli\u003eSSH Key Generation: The attacker generates a new SSH key pair for persistent access using \u003ccode\u003essh-keygen\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eKey Installation: The attacker modifies the authorized_keys file (usually located at \u003ccode\u003e/home/[username]/.ssh/authorized_keys\u003c/code\u003e) of the targeted user to include the attacker's public key.\u003c/li\u003e\n\u003cli\u003ePersistence Check: The attacker tests the SSH login using the newly added key to ensure successful access.\u003c/li\u003e\n\u003cli\u003eCleanup (Optional): The attacker removes traces of the key generation or modification from logs and command history, though this is not always done thoroughly.\u003c/li\u003e\n\u003cli\u003eLateral Movement/Data Exfiltration: With persistent access, the attacker moves laterally within the network, accesses sensitive data, and exfiltrates it.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised system user accounts can grant attackers long-term, stealthy access to critical systems. This can lead to data breaches, system downtime, and reputational damage. The number of victims and targeted sectors are unknown, but any organization relying on Linux systems for critical infrastructure is potentially at risk. Successful exploitation can result in complete system compromise and data exfiltration, causing significant financial and operational losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect SSH Key Added to Authorized Keys\u0026quot; to identify suspicious modifications to \u003ccode\u003eauthorized_keys\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for unusual SSH login activity, specifically logins using SSH keys instead of passwords (reference logsource: \u003ccode\u003elinux\u003c/code\u003e \u003ccode\u003eauth.log\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eRegularly audit system user accounts for unauthorized SSH keys (using shell commands and scripts).\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication where possible to prevent initial compromise (related to initial access vector).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-backdoored-ssh-user/","summary":"Attackers can maintain unauthorized access to Linux systems by backdooring system user accounts with SSH keys, allowing persistent access even after password changes.","title":"Linux SSH Persistence via Backdoored System User","url":"https://feed.craftedsignal.io/briefs/2024-01-backdoored-ssh-user/"}],"language":"en","title":"CraftedSignal Threat Feed - SSH","version":"https://jsonfeed.org/version/1.1"}