SSH

SSH [T1021.004]

Information

Name: SSH
ID: T1021.004
Tactics:
Technique:

Introduction

The SSH (Secure Shell) sub-technique, identified as T1021.004 within the MITRE ATT&CK framework, refers to adversaries leveraging SSH protocol to gain unauthorized access, execute commands, or move laterally within compromised environments. SSH is a secure network protocol commonly used by system administrators for remote management of servers and network devices. Attackers exploit this legitimate protocol to blend in with normal administrative traffic, making detection challenging.

Deep Dive Into Technique

Adversaries commonly exploit SSH in the following ways:

Credential-Based Access:
- Attackers may use compromised credentials (usernames/passwords or SSH keys) to authenticate to remote systems.
- Credentials can be obtained through phishing attacks, credential dumping, brute-force attacks, or previous compromises.
SSH Key Abuse:
- Attackers may create or reuse SSH keys to maintain persistent access without relying on passwords.
- Unauthorized keys can be placed in the victim's authorized_keys file for persistence.
Port Forwarding and Tunneling:
- SSH can be used to tunnel traffic through compromised hosts, effectively bypassing firewall rules and network segmentation.
- Attackers may use SSH tunnels to pivot into internal networks or exfiltrate data covertly.
ProxyJump and ProxyCommand:
- Attackers may leverage SSH configuration options such as ProxyJump or ProxyCommand to chain connections through multiple compromised hosts, making tracking and attribution difficult.
Execution of Commands and Scripts:
- Attackers may remotely execute commands or scripts via SSH to perform reconnaissance, privilege escalation, lateral movement, or data exfiltration.
- Automated scripts or tools may be used to rapidly execute commands across multiple compromised hosts.

When this Technique is Usually Used

Adversaries employ SSH sub-technique primarily during the following attack phases:

Initial Access:
- Gaining initial foothold through compromised credentials or SSH brute-force attacks.
Persistence:
- Maintaining long-term access by adding attacker-controlled SSH keys or modifying configurations.
Privilege Escalation:
- Using SSH connections combined with credential reuse on hosts with higher privileges.
Defense Evasion:
- Utilizing encrypted SSH channels and legitimate administrative tools to evade detection.
Lateral Movement:
- Pivoting across internal network segments and systems using SSH tunnels or chained connections.
Collection and Exfiltration:
- Transferring sensitive data or files through secure SSH tunnels to external attacker-controlled servers.

How this Technique is Usually Detected

Detection of SSH misuse involves monitoring and analyzing network traffic, authentication logs, and system configuration changes. Common detection methods include:

Monitoring Authentication Logs:
- Inspecting /var/log/auth.log, /var/log/secure, or equivalent logs for unusual login attempts, failed authentications, or logins from unknown IP addresses.
Network Traffic Analysis:
- Detecting unusual SSH traffic patterns, such as frequent or large data transfers over SSH port (TCP 22), especially at unusual hours or from unfamiliar IP ranges.
- Utilizing network monitoring tools such as Zeek, Suricata, or Snort to detect suspicious SSH traffic.
SSH Key Auditing:
- Regularly auditing SSH keys stored in user directories (~/.ssh/authorized_keys) to identify unauthorized or unknown keys.
- Implementing automated scripts or security tools (e.g., OSSEC, Wazuh, or custom scripts) to detect unauthorized changes to SSH configurations.
Behavioral Analysis and Baseline Monitoring:
- Establishing behavioral baselines for SSH usage patterns and alerting on deviations, such as multiple failed login attempts, unusual login times, or logins from unexpected geographic locations.
Endpoint Detection and Response (EDR) Tools:
- Utilizing EDR solutions to monitor process execution patterns, command-line arguments, and SSH-related activity on endpoints.

Indicators of Compromise (IoCs) include:

Unusual SSH login attempts from foreign or unknown IP addresses.
Presence of unauthorized SSH keys in user directories.
Suspicious SSH configuration changes, such as enabling root login or modifying authentication settings.
Evidence of SSH tunneling or port forwarding in command history logs.

Why it is Important to Detect This Technique

Early detection of SSH misuse is crucial because:

Persistence and Long-Term Access:
- SSH provides attackers with persistent, encrypted access, enabling long-term infiltration of an organization's infrastructure.
Lateral Movement:
- Attackers leveraging SSH can easily pivot across multiple systems, escalating privileges and expanding footholds within internal networks.
Data Exfiltration Risks:
- SSH tunnels can be used to covertly exfiltrate sensitive data, intellectual property, or confidential information, bypassing traditional detection controls.
Defense Evasion:
- SSH is a legitimate administrative protocol, making it difficult to distinguish malicious activity from normal operations without proper monitoring and detection mechanisms.
Potential for Severe Damage:
- Undetected SSH misuse can lead to severe operational disruptions, data breaches, regulatory compliance violations, reputational damage, and financial losses.

Examples

Real-world examples of SSH misuse include:

Operation Cloud Hopper:
- Attackers compromised Managed Service Providers (MSPs) using stolen SSH credentials, enabling lateral movement into customer environments.
- Impact: Compromise of multiple global organizations, theft of sensitive intellectual property, and confidential business information.
Linux/Ebury SSH Rootkit:
- Attackers deployed a sophisticated rootkit that modified OpenSSH binaries, stealing SSH credentials and keys from infected systems.
- Impact: Thousands of compromised Linux servers globally, enabling attackers to pivot across networks and exfiltrate sensitive data.
Crypto-Mining Campaigns via SSH Brute-Force:
- Attackers leveraged automated brute-force attacks against SSH services with weak credentials, deploying cryptocurrency mining malware once successful.
- Impact: Resource exhaustion, increased operational costs, performance degradation, and potential data theft risks.
APT34 (OilRig) SSH Tunneling:
- Iranian threat actor APT34 utilized SSH tunneling techniques to bypass network defenses and exfiltrate sensitive data from compromised organizations.
- Impact: Data breaches, espionage activities, and compromise of confidential government and corporate information.
Carbanak/FIN7 SSH Usage:
- Cybercriminal groups such as Carbanak and FIN7 employed SSH tunnels and credential reuse techniques to evade detection, pivot across compromised networks, and steal financial and credit card data.
- Impact: Significant financial losses, compromised customer data, and regulatory compliance violations for targeted organizations.

Last updated 1 month ago

Introduction

Deep Dive Into Technique

Adversaries commonly exploit SSH in the following ways:

Credential-Based Access:

Attackers may use compromised credentials (usernames/passwords or SSH keys) to authenticate to remote systems.
Credentials can be obtained through phishing attacks, credential dumping, brute-force attacks, or previous compromises.

SSH Key Abuse:

Attackers may create or reuse SSH keys to maintain persistent access without relying on passwords.
Unauthorized keys can be placed in the victim's authorized_keys file for persistence.

Port Forwarding and Tunneling:

SSH can be used to tunnel traffic through compromised hosts, effectively bypassing firewall rules and network segmentation.
Attackers may use SSH tunnels to pivot into internal networks or exfiltrate data covertly.

ProxyJump and ProxyCommand:

Attackers may leverage SSH configuration options such as ProxyJump or ProxyCommand to chain connections through multiple compromised hosts, making tracking and attribution difficult.

Execution of Commands and Scripts:

Attackers may remotely execute commands or scripts via SSH to perform reconnaissance, privilege escalation, lateral movement, or data exfiltration.
Automated scripts or tools may be used to rapidly execute commands across multiple compromised hosts.

When this Technique is Usually Used

Adversaries employ SSH sub-technique primarily during the following attack phases:

Initial Access:

Gaining initial foothold through compromised credentials or SSH brute-force attacks.

Persistence:

Maintaining long-term access by adding attacker-controlled SSH keys or modifying configurations.

Privilege Escalation:

Using SSH connections combined with credential reuse on hosts with higher privileges.

Defense Evasion:

Utilizing encrypted SSH channels and legitimate administrative tools to evade detection.

Lateral Movement:

Pivoting across internal network segments and systems using SSH tunnels or chained connections.

Collection and Exfiltration:

Transferring sensitive data or files through secure SSH tunnels to external attacker-controlled servers.

How this Technique is Usually Detected

Detection of SSH misuse involves monitoring and analyzing network traffic, authentication logs, and system configuration changes. Common detection methods include:

Monitoring Authentication Logs:

Inspecting /var/log/auth.log, /var/log/secure, or equivalent logs for unusual login attempts, failed authentications, or logins from unknown IP addresses.

Network Traffic Analysis:

Detecting unusual SSH traffic patterns, such as frequent or large data transfers over SSH port (TCP 22), especially at unusual hours or from unfamiliar IP ranges.
Utilizing network monitoring tools such as Zeek, Suricata, or Snort to detect suspicious SSH traffic.

SSH Key Auditing:

Regularly auditing SSH keys stored in user directories (~/.ssh/authorized_keys) to identify unauthorized or unknown keys.
Implementing automated scripts or security tools (e.g., OSSEC, Wazuh, or custom scripts) to detect unauthorized changes to SSH configurations.

Behavioral Analysis and Baseline Monitoring:

Establishing behavioral baselines for SSH usage patterns and alerting on deviations, such as multiple failed login attempts, unusual login times, or logins from unexpected geographic locations.

Endpoint Detection and Response (EDR) Tools:

Utilizing EDR solutions to monitor process execution patterns, command-line arguments, and SSH-related activity on endpoints.

Indicators of Compromise (IoCs) include:

Unusual SSH login attempts from foreign or unknown IP addresses.

Presence of unauthorized SSH keys in user directories.

Suspicious SSH configuration changes, such as enabling root login or modifying authentication settings.

Evidence of SSH tunneling or port forwarding in command history logs.

Why it is Important to Detect This Technique

Early detection of SSH misuse is crucial because:

Persistence and Long-Term Access:

SSH provides attackers with persistent, encrypted access, enabling long-term infiltration of an organization's infrastructure.

Lateral Movement:

Attackers leveraging SSH can easily pivot across multiple systems, escalating privileges and expanding footholds within internal networks.

Data Exfiltration Risks:

SSH tunnels can be used to covertly exfiltrate sensitive data, intellectual property, or confidential information, bypassing traditional detection controls.

Defense Evasion:

SSH is a legitimate administrative protocol, making it difficult to distinguish malicious activity from normal operations without proper monitoring and detection mechanisms.

Potential for Severe Damage:

Undetected SSH misuse can lead to severe operational disruptions, data breaches, regulatory compliance violations, reputational damage, and financial losses.

Examples

Real-world examples of SSH misuse include:

Operation Cloud Hopper:

Attackers compromised Managed Service Providers (MSPs) using stolen SSH credentials, enabling lateral movement into customer environments.
Impact: Compromise of multiple global organizations, theft of sensitive intellectual property, and confidential business information.

Linux/Ebury SSH Rootkit:

Attackers deployed a sophisticated rootkit that modified OpenSSH binaries, stealing SSH credentials and keys from infected systems.
Impact: Thousands of compromised Linux servers globally, enabling attackers to pivot across networks and exfiltrate sensitive data.

Crypto-Mining Campaigns via SSH Brute-Force:

Attackers leveraged automated brute-force attacks against SSH services with weak credentials, deploying cryptocurrency mining malware once successful.
Impact: Resource exhaustion, increased operational costs, performance degradation, and potential data theft risks.

APT34 (OilRig) SSH Tunneling:

Iranian threat actor APT34 utilized SSH tunneling techniques to bypass network defenses and exfiltrate sensitive data from compromised organizations.
Impact: Data breaches, espionage activities, and compromise of confidential government and corporate information.

Carbanak/FIN7 SSH Usage:

Cybercriminal groups such as Carbanak and FIN7 employed SSH tunnels and credential reuse techniques to evade detection, pivot across compromised networks, and steal financial and credit card data.
Impact: Significant financial losses, compromised customer data, and regulatory compliance violations for targeted organizations.