1. Extra Categories
  2. Editor's Pick
March 3, 2020updated 04 Mar 2020 10:15am

SSH keys: How nation state attacks are falling into the hands of cybercriminals

By Ellen Daniel

In 2015, the systems belonging to three electricity suppliers in Ukraine were taken down in a sophisticated hack, causing power outages.

This first-of-its kind attack was a startling reminder of the potential real-world consequences of cyberattacks.

But the method used in the Ukraine power grid cyberattack, once the reserve of high-profile hackers, is now in the hands of smaller-scale cybercriminals, and could soon impact organisations around the world.

This is according to new research by machine identity protection company Venafi. Verdict sat down with Yana Blachman, threat intelligence specialist at Venafi, and Kevin Bocek, Vice President of Security Strategy and Threat Intelligence to discover how attackers are exploiting hidden backdoors within organisations.

Machine identities and hidden backdoors

At the heart of this attack vector lies machine identities. These are what allow machines to identify and authenticate themselves when securely communicating with other machines, using keys and certificates. SSH keys are one example of this. According to Security Brief, SSH keys “provide a secure connection between two machines, enabling data communication and remote command execution”.

“SSH is a network protocol that provides secure communication between machines. So if I’m an IT admin, I would like to access my server remotely, I would use SSH for that, using a public private key infrastructure. SSH is just one example of machine identity”, explains Blachman.

Although machine identities are vital to the secure digital processes of many organisations, they also open up opportunities for cyber attackers. According to Venafi, stealing or forging machine identities such as SSH keys is lucrative for cybercriminals as it allows them to evade security controls and gain access to systems or data through hidden backdoors.

“Stealing private keys or adding the attackers’ keys to the infected machine [allows attackers] to remain persistent, or to gather more information on the infected machine in order to laterally move across the network”, said Blachman. “So let’s say a banking Trojan has hit your computer, and it wants to stay there. Adding the the attackers’ key to the host machine will enable the attacker to stay persistent on that machine and go back whenever whenever they want to.”

“There’s not enough awareness”

In the cybersecurity world, significant effort goes into ensuring that unauthorised users do not gain access to systems, but the same cannot be said for machine identities. According to Venafi, many organisations are not taking adequate steps to manage protect their machine identities, making them a weak point for attackers to routinely exploit.

Blachman explains that many organisations may not even be aware of how many machine identities they have:

“There’s not enough awareness, especially because machine identities are not listed anywhere. So it’s very hard to know how many machine identities you have in your network and how you manage them and how you control them unless you have the means for it. I think the lack of visibility doesn’t give you a way to see if a threat actor added a backdoor. You would never know and it can stay undetected for years.”

According to Security Brief, research has shown that only 10% of organisations believe they have “complete and accurate intelligence” on the SSH keys within their organisation.

“We’ve worked with banks where they’ve found SSH keys that have lived for decades”, said Bocek. “And because of the scale of an organisation, if you take a bank, an airline, an insurer, a retailer, there are not just tens of thousands, but hundreds of thousands upon millions of these. So at this scope and scale, no human or even humans could even come to understand this.”

According to research by Venafi and AIR Worldwide, inadequately protected machine identities could cost the global economy between $51bn and $72bn, with 14% to 25% of the cyber losses for the largest companies machine identity related.

To illustrate the scale of the problem, Bocek references a research project called Get off My Cloud, which revealed that many organisations may have unknown backdoors:

“A few years back, there was some research called Get off my Cloud. And already back in 2013, one out of every four Amazon machine that was being downloaded for you to run essentially had a backdoor. It had an unknown SSH in identity. Who knows who controls it? It was probably left by an engineer who forgot to clean it up. That gives you an idea of the size and scope.”

Commodetisation of malware

This type of attack was used in the now infamous Ukrainian power grid attack, with attackers inserting their own SSH key, but this method is trickling down to smaller-scale cyber criminals. Blachman explains that it was once only used by the most sophisticated, well-financed cyber attackers, but this is no longer the case:

“SSH was reserved for more advanced, persistent threats in the past. So nation states that are trying to do cyber espionage. But we’ve seen in 2019 that commodity malware added these kind of capabilities.

“Malware writers were like, ‘We can do the same thing’. And we see really, really sophisticated crime-ware gangs that are operating this malware.”

Another example of the exploitation of SSH identities is the Trickbot malware. This was originally a banking Trojan that first appeared in 2016, but soon became an as-a-service tool that could be used by attackers for a variety of purposes.

Bocek explains that this demonstrates how cyber weapons can travel from one type of cyber-criminal to another, providing an insight into how these cyber networks operate:

“With the Trickbot campaign, they were selling on to the Lasreus group. You can’t say exactly how it’s operated but through a North Korean entity. That’s how we see that weapons, whether that is the kinetic type or the cyber type, go down that chain from the most sophisticated nation states down to the cybercriminals and then of course bad guys love to sell their goods back up the chain.”

Blachman believes that now this type of attack has been commoditised, it puts organisations at risk of a wider range of attacks:

“Once this feature is commoditised, it becomes a broader scale. If it’s a huge spam campaign or a huge crypto mining campaign that is trying to backdoor every machine that it’s targeting, then anything is possible. And then once an attacker identifies a valuable machine in one of those campaigns then these machines that were backdoored for the original purpose can be sold for more sophisticated attacks and monetised in a different kind of way.

“We’ve noticed at least a dozen campaigns that are massive in scale.”

Monitoring machine identities

Bocek believes that part of the reason machine identities are poorly secured is due to a lack of understanding within the cybersecurity community. Many organisations rely on outdated techniques to protect their machine identities, leaving them vulnerable:

“How does machine have an identity? Actually, from a human perspective, it’s hard for humans to understand. The other human element is in security professional training. Most security professionals as they train, they learn about controls, like firewalls, username, password authentication. Learning about machine identities is not part of the core curriculum. And the the professionals that do learn about them are the systems administrators, or the engineers that build infrastructure.”

In order to prevent attackers from exploiting SSH keys, often unnoticed, Blachman believes that better protecting organisations from this type of attack starts with improving visibility:

“I think the most important thing is to get visibility and intelligence on what is happening within their organisation on all types of machine identities, in order to be more aware of machine identities and where can be vulnerable and mitigate any risk much faster if a threat was discovered.”

Read more: Does SSL really keep you safe? Security certificate sales thriving on dark web.