The Sysdig Threat Research Team (TRT) has uncovered the malicious utilization of a newly developed network mapping tool named SSH-Snake, which surfaced on January 4, 2024. SSH-Snake operates as a self-modifying worm, exploiting SSH credentials discovered on compromised systems to propagate throughout networks. Notably, the tool autonomously navigates through known credential locations and shell history files to determine its subsequent actions. Currently, SSH-Snake is actively employed by threat actors in offensive operations.
Method
SSH-Snake represents an evolution in lateral movement tactics, exhibiting greater stealth, flexibility, and credential discovery capabilities compared to traditional SSH worms. By avoiding detectable attack patterns, it ensures a more efficient and successful operation. The script, designed as a bash shell script, autonomously searches for SSH credentials on the host system. Once acquired, it attempts to log into target systems and replicates itself, thereby continuing the propagation process. Remarkably, SSH-Snake is self-modifying and fileless, optimizing its efficiency and evading detection. It also employs various methods to locate private keys, including parsing bash history files for relevant commands.
The image below is an example of what was used in previous LABRAT dropper. SSH-Snake offers enhanced lateral movement by avoiding the easily detectable patterns associated with scripted attacks, providing greater stealth, flexibility, configurability and more comprehensive credential discovery than typical SSH worms, therefore being more efficient and successful.
Impact
The operational use of SSH-Snake involves deploying it through a command-and-control (C2) server, where collected data from compromised systems is stored. This data includes credentials, victim IP addresses, and bash history. Sysdig TRT has observed a growing list of victims, with approximately 100 identified at the time of writing. The deployment of SSH-Snake often follows the exploitation of known vulnerabilities in systems like Apache ActiveMQ and Atlassian Confluence, indicating an ongoing and potentially widespread threat.
Recommendation
To detect SSH-Snake activity, runtime threat detection tools can be employed.
Additionally, organizations should prioritize patching known vulnerabilities in systems like Apache ActiveMQ and Atlassian Confluence to prevent initial access by threat actors.
Enhanced security measures, including regular system audits and user training, are crucial for defending against evolving threats like SSH-Snake.
Comments