Crooks are mass-scanning online sites for directories containing SSH private keys so they can break into websites with any accidentally exposed credentials.
SSH authentication can work via the classic username-password model or use key-based authentication. The latter works when admins generate an RSA encryption key pair, made of a public and private key.
The private key is placed on the server the owner wants to authenticate, while the user saves the private key in a local SSH configuration file.
Scans for private SSH keys started out of the blue
Wordfence — a US-based WordPress security firm — noticed last night massive scans for folder names that hint the attacker might have been looking for SSH private keys.
Attackers looked for web directories containing the terms, or combinations of terms, such as “root,” “ssh,” or “id_rsa.” The scans came out of the blue, as there was little activity for this type of scan before this week.
“In the past 24 hours, we have seen a new attacker start mass-scanning websites for private SSH keys,” said Wordfence CEO Mark Maunder in a report published last night.
“The graph shows a massive spike in scanning activity in the past 48 hours,” Maunder said. “We think this increase of activity may indicate that an attacker is having some success scanning for private keys and has decided to increase their efforts. This may indicate a common bug or operational mistake that is being made by WordPress site owners, by which private keys are being accidentally made public.”
Report on insecure SSH configs might have triggered the scans
The sudden spike can also be explained by a report published at the start of the week by Venafi, a provider of identity protection services.
The company conducted a study among 410 IT security professionals and found “a widespread lack of SSH security controls.”
Key study findings:
⛳ Sixty-one percent of respondents do not limit or monitor the number of administrators who manage SSH; only 35 percent enforce policies that prohibit SSH users from configuring their authorized keys leaving organizations blind to abuse from malicious insiders.
⛳ Ninety percent of the respondents said they do not have a complete and accurate inventory of all SSH keys so there is no way to determine if keys have been stolen, misused or should not be trusted.
⛳ Just twenty-three percent of respondents rotate keys on a quarterly or more frequent basis. Forty percent said that they don’t rotate keys at all or only do so occasionally. Attackers that gain access to SSH keys will have ongoing privileged access until keys are rotated.
⛳ Fifty-one percent of respondents said they do not enforce “no port forwarding” for SSH. Port forwarding allows users to effectively bypass the firewalls between systems so a cybercriminal with SSH access can rapidly pivot across network segments.
⛳ Fifty-four percent of respondents do not limit the locations from which SSH keys can be used. For applications that don’t move, restricting SSH use to a specific IP address can stop cybercriminals from using a compromised SSH key remotely.
Public bug disclosures or reports like these often trigger a reaction from the cybercriminal underground, who are as avid readers of infosec-themed sites as are security professionals.
Website owners are advised to check if they haven’t accidentally uploaded their SSH private key on their public servers, or committed the SSH private key to Git or SVN repositories.
Image credits: Magicon, Bleeping Computer, Wordfence