<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SSH - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/ssh/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/ssh/feed.xml" rel="self" type="application/rss+xml"/><item><title>Linux SSH Persistence via Backdoored System User</title><link>https://feed.craftedsignal.io/briefs/2024-01-backdoored-ssh-user/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-backdoored-ssh-user/</guid><description>Attackers can maintain unauthorized access to Linux systems by backdooring system user accounts with SSH keys, allowing persistent access even after password changes.</description><content:encoded><![CDATA[<p>Attackers targeting Linux systems may establish persistence by compromising existing system user accounts and adding unauthorized SSH keys. This method allows them to bypass standard authentication procedures and regain access to the system even after password resets. While the specific campaigns leveraging this technique are currently unclear, the risk is significant, as it grants persistent access and is difficult to detect without specific monitoring in place. The use of backdoored system users circumvents typical multi-factor authentication and account lockout policies, potentially granting long-term access to sensitive data and systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: Attacker gains initial access through an unstated vector (e.g., exploiting a web application vulnerability, or using stolen credentials).</li>
<li>Privilege Escalation: The attacker escalates privileges to root or a privileged user, potentially using exploits (e.g., Dirty Pipe) or misconfigurations.</li>
<li>Account Discovery: The attacker identifies potential system user accounts to backdoor (e.g., accounts without passwords or with weak passwords).</li>
<li>SSH Key Generation: The attacker generates a new SSH key pair for persistent access using <code>ssh-keygen</code>.</li>
<li>Key Installation: The attacker modifies the authorized_keys file (usually located at <code>/home/[username]/.ssh/authorized_keys</code>) of the targeted user to include the attacker's public key.</li>
<li>Persistence Check: The attacker tests the SSH login using the newly added key to ensure successful access.</li>
<li>Cleanup (Optional): The attacker removes traces of the key generation or modification from logs and command history, though this is not always done thoroughly.</li>
<li>Lateral Movement/Data Exfiltration: With persistent access, the attacker moves laterally within the network, accesses sensitive data, and exfiltrates it.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised system user accounts can grant attackers long-term, stealthy access to critical systems. This can lead to data breaches, system downtime, and reputational damage. The number of victims and targeted sectors are unknown, but any organization relying on Linux systems for critical infrastructure is potentially at risk. Successful exploitation can result in complete system compromise and data exfiltration, causing significant financial and operational losses.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect SSH Key Added to Authorized Keys&quot; to identify suspicious modifications to <code>authorized_keys</code> files.</li>
<li>Monitor system logs for unusual SSH login activity, specifically logins using SSH keys instead of passwords (reference logsource: <code>linux</code> <code>auth.log</code>).</li>
<li>Regularly audit system user accounts for unauthorized SSH keys (using shell commands and scripts).</li>
<li>Enforce strong password policies and multi-factor authentication where possible to prevent initial compromise (related to initial access vector).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>persistence</category><category>ssh</category><category>linux</category></item></channel></rss>