SSH Authorized Keys

Information

• Name: SSH Authorized Keys

• ID: T1098.004

• Tactics: TA0003, TA0004

• Technique: T1098

Introduction

SSH Authorized Keys (T1098.004) is a sub-technique within the MITRE ATT&CK framework under the broader Account Manipulation (T1098) technique. Attackers leverage this method by adding or modifying SSH authorized keys, enabling persistent, passwordless access to compromised Linux or Unix-based systems. This allows adversaries to maintain long-term persistence and evade traditional authentication mechanisms, simplifying lateral movement and further exploitation.

Deep Dive Into Technique

SSH (Secure Shell) provides secure remote login capabilities, typically authenticating users via passwords or cryptographic keys. The authorized_keys file, usually located at ~/.ssh/authorized_keys, contains public keys that grant access without requiring a password.

Attackers exploiting this sub-technique typically follow these steps:

1. Initial Access:

   • Exploit vulnerabilities or stolen credentials to gain initial access to the target system.

   • Use existing compromised accounts or escalate privileges to gain write access to the victim user's SSH configuration.

2. Key Generation and Placement:

   • Generate a new SSH key pair (ssh-keygen) on attacker-controlled infrastructure.

   • Insert the attacker's public key into the victim user's authorized_keys file, often using commands such as:

     Copy

     echo "<attacker_public_key>" >> ~/.ssh/authorized_keys

   • Alternatively, attackers may overwrite existing keys or modify permissions to avoid suspicion.

3. Persistence and Access:

   • Once the public key is in place, attackers can log in remotely without providing passwords, bypassing traditional authentication logging.

   • Attackers may modify file permissions (chmod 600 authorized_keys) and timestamps (touch -r) to mask their activity.

4. Privilege Escalation and Lateral Movement:

   • Attackers may escalate privileges by compromising administrative or root accounts.

   • Attackers can propagate their keys across multiple systems, enabling lateral movement.

When this Technique is Usually Used

Attackers commonly employ SSH Authorized Keys manipulation in various attack scenarios and stages, including:

• Persistence:

  • Maintaining long-term, stealthy access to compromised systems after initial intrusion.

  • Avoiding repeated exploitation or credential reuse, reducing detection probability.

• Lateral Movement:

  • Propagating access across multiple compromised hosts within the network.

  • Simplifying lateral movement by eliminating the need to repeatedly authenticate with passwords.

• Privilege Escalation:

  • Gaining root or administrative-level access by inserting keys into privileged user accounts.

  • Facilitating future privilege escalation attempts and simplifying administrative access.

• Data Exfiltration and Command-and-Control (C2):

  • Establishing secure, encrypted channels for data exfiltration or command-and-control operations.

  • Reducing detection risks by leveraging legitimate SSH traffic.

How this Technique is Usually Detected

Detecting unauthorized modifications to SSH authorized keys involves monitoring various indicators and employing multiple detection methods, including:

• File Integrity Monitoring (FIM):

  • Monitoring changes to critical files such as ~/.ssh/authorized_keys.

  • Tools: OSSEC, Tripwire, AIDE, Auditd.

• Audit Logging and Alerts:

  • Enabling audit logging to track file modifications (auditd rules for authorized_keys).

  • Example audit rule:

    Copy

    -w /home/*/.ssh/authorized_keys -p wa -k ssh_key_modification

  • Monitoring alerts for unauthorized file edits or unexpected SSH key additions.

• Behavioral Analytics and Anomaly Detection:

  • Identifying unusual SSH login patterns, such as logins from unfamiliar IP addresses or at unusual times.

  • Using SIEM solutions (Splunk, ELK Stack, QRadar) to correlate SSH login events with authorized_keys changes.

• Host-based Detection:

  • Regularly scanning authorized_keys files for unfamiliar or unauthorized public keys.

  • Comparing current keys against a known whitelist or baseline.

• Network Traffic Monitoring:

  • Monitoring network traffic for unusual SSH sessions or data exfiltration attempts.

  • Identifying SSH connections to external, unknown, or suspicious IP addresses.

Indicators of Compromise (IoCs):

• Unrecognized public keys in authorized_keys.

• Unauthorized file permission changes on .ssh directories or authorized_keys files.

• SSH logins from unknown or suspicious IP addresses.

• Unusual SSH login times and frequencies.

Why it is Important to Detect This Technique

Identifying SSH Authorized Keys manipulation early is critical due to its severe potential impacts, including:

• Persistent Unauthorized Access:

  • Attackers gain persistent, stealthy access, making remediation challenging.

  • Unauthorized access may persist even after password changes or account lockouts.

• Privilege Escalation and Administrative Control:

  • Attackers can escalate privileges by inserting keys into privileged accounts, significantly increasing their control over systems and networks.

• Data Exfiltration and Intellectual Property Theft:

  • Attackers can exfiltrate sensitive data securely and stealthily via encrypted SSH channels, causing significant financial and reputational damage.

• Lateral Movement and Network Compromise:

  • Attackers can propagate their access across multiple systems, increasing the scope and severity of breaches.

  • Networks can become extensively compromised, complicating containment and remediation efforts.

• Evasion of Traditional Security Controls:

  • SSH key-based authentication bypasses traditional password-based monitoring and detection mechanisms, making unauthorized access harder to detect.

Early detection helps minimize damage, reduces remediation costs, and prevents attackers from establishing long-term footholds.

Examples

Real-world examples demonstrating the use of SSH Authorized Keys manipulation include:

• APT29 (Cozy Bear):

  • Russian state-sponsored group known to use SSH keys for persistent access.

  • Attackers inserted their own SSH keys into compromised systems to maintain long-term access and evade detection.

  • Impact: Persistent espionage, theft of sensitive government and commercial information.

• Operation Windigo:

  • Large-scale Linux malware campaign that compromised thousands of servers.

  • Attackers inserted malicious SSH keys into authorized_keys files for persistent access and lateral movement.

  • Impact: Spam distribution, credential theft, malware hosting, and extensive network compromise.

• Cloud Hopper Campaign (APT10):

  • Chinese state-sponsored attackers compromised managed service providers (MSPs).

  • Attackers manipulated SSH authorized keys to persistently access client networks and systems.

  • Impact: Intellectual property theft, sensitive data exfiltration, extensive supply-chain compromise.

• Crypto-mining Campaigns:

  • Attackers compromised Linux servers and cloud resources, inserting SSH keys to maintain persistent access.

  • Used persistent access to deploy crypto-mining malware, causing resource exhaustion and financial losses.

These examples highlight the widespread use and significant impact of SSH Authorized Keys manipulation in real-world attacks, emphasizing the importance of robust detection and prevention measures.