Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday February 25, @11:03AM   Printer-friendly

Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks:

A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.

"SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network," Sysdig researcher Miguel Hernández said. "The worm automatically searches through known credential locations and shell history files to determine its next move."

SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a "powerful tool" to carry out automatic network traversal using SSH private keys discovered on systems.

In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports resolution of domains which have multiple IPv4 addresses. "It's completely self-replicating and self-propagating – and completely fileless," according to the project's description. "In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can."

Sysdig said the shell script not only facilitates lateral movement, but also provides additional stealth and flexibility than other typical SSH worms.

The cloud security company said it observed threat actors deploying SSH-Snake in real-world attacks to harvest credentials, the IP addresses of the targets, and the bash command history following the discovery of a command-and-control (C2) server hosting the data.

"The usage of SSH keys is a recommended practice that SSH-Snake tries to take advantage of in order to spread," Hernández said. "It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold."

When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify weaknesses in their infrastructure before attackers do, urging companies to use SSH-Snake to "discover the attack paths that exist – and fix them." "It seems to be commonly believed that cyber terrorism 'just happens' all of a sudden to systems, which solely requires a reactive approach to security," Rogers said. "Instead, in my experience, systems should be designed and maintained with comprehensive security measures."

"If a cyber terrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, focus should be put on the people that are in charge of the infrastructure, with a goal of revitalizing the infrastructure such that the compromise of a single host can't be replicated across thousands of others."

SSH-Snake: Automated SSH-Based Network Traversal:


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Interesting) by Anonymous Coward on Sunday February 25, @01:27PM (14 children)

    by Anonymous Coward on Sunday February 25, @01:27PM (#1346178)

    Sounds to me like the developer of this thing is full of shit. The code when run has a single purpose: actually propagate. That makes it malware.

    Sound to me like someone is hiding behind an incredibly thin veneer of "security researcher" while in reality wanting to be a bad actor themselves. Maybe this was created as the response to a coding question posed to join a cybercrime ring?

    Aiding and abetting terrorists typically puts you on the same list as those you aided and abetted. This individual clearly is aiding, and abetting. The provided 'defence' lacks any indication of understanding and is a passive-aggressive form of "what are you going to do about it?"

    May that individual be forever on the receiving side of those whom they enabled.

    • (Score: 4, Insightful) by shrewdsheep on Sunday February 25, @02:19PM (1 child)

      by shrewdsheep (5215) on Sunday February 25, @02:19PM (#1346182)

      I might not want to be as harsh towards the author. I agree that this code seems indeed dangerous. Running it might flag you as being a bad actor on a/many network/s.

      Still, the techniques employed are interesting, especially the file-less propagation, something, I will happily put into my toolbox.

      • (Score: 4, Funny) by Ox0000 on Sunday February 25, @05:00PM

        by Ox0000 (5111) on Sunday February 25, @05:00PM (#1346192)

        The ILOVEYOU [wikipedia.org] worm also had some "interesting techniques"... The justification for the creation of the worm was (from the linked wiki) "De Guzman, who was poor and struggling to pay for Internet access at the time, created the computer worm intending to steal other users' passwords, which he could use to log in to their Internet accounts without needing to pay for the service. He justified his actions on his belief that Internet access is a human right and that he was not actually stealing.".

        That sounds eerily similar to the justification offered by the author of the malware, namely: "My own moral framework allows me to do it, therefore it is ok for me to do this and sod the the consequences of my actions for others".

        At best it's irresponsible and the author needs a bit of a schooling in civility and what it means to be a responsible adult, or plain criminal at worst.

        A security researcher is expected to improve security, not to decrease security. They have chosen to do the latter by producing a weapon and handing it out on the corner of the street. I'm no fan of the whole "Responsible Disclosure" farce, but I would have preferred it if this individual would have first worked to patch the hole they found, instead of weaponizing it.

        I'll repeat my wish for them: may they suffer from the sword they wielded...

    • (Score: 5, Insightful) by crafoo on Sunday February 25, @06:14PM (10 children)

      by crafoo (6639) on Sunday February 25, @06:14PM (#1346208)

      You may be correct but maybe you should also be more careful about ascribing motivations and pretending you know what is another person's head. it's just a poor way to live. In my experience people are far less malicious than our naturally paranoid minds tend to believe. It's worth giving people a chance.

      The tool seems actually useful for someone trying to secure their network. And it was released out in the open so people could use it to do that.

      • (Score: 0) by Anonymous Coward on Sunday February 25, @06:32PM

        by Anonymous Coward on Sunday February 25, @06:32PM (#1346214)

        You may be correct but maybe you should also be more careful about ascribing motivations and pretending you know what is another person's head. it's just a poor way to live.

        I am not disagreeing with you. This is insightful...

      • (Score: 2) by quietus on Sunday February 25, @07:45PM (8 children)

        by quietus (6328) on Sunday February 25, @07:45PM (#1346225) Journal

        And it was released out in the open so people could use it to do that.

        Instead of releasing this out in the open, isn't it better to first notify SANS [sans.org] orNVD [nist.gov] (in the United States) or CERT [europa.eu] (EU) or ENISA [europa.eu], and release the code through them?

        • (Score: 1, Interesting) by Anonymous Coward on Sunday February 25, @08:30PM

          by Anonymous Coward on Sunday February 25, @08:30PM (#1346232)

          I haven't RTFA of course, but from the summary above it doesn't compromise the initial system, you still need a security hole for that. It doesn't make use of any exploits in traversal either.
          What it does is see how far that machine could "legitimately" get in your network once compromised.

        • (Score: 1) by khallow on Tuesday February 27, @08:25PM (6 children)

          by khallow (3766) Subscriber Badge on Tuesday February 27, @08:25PM (#1346536) Journal

          Instead of releasing this out in the open, isn't it better to first notify SANS [sans.org] orNVD [nist.gov] (in the United States) or CERT [europa.eu] (EU) or ENISA [europa.eu], and release the code through them?

          Why would it be better? It allows governments and criminal organizations a chance to suppress this information. By making it public immediately, there's no value to attacking you - the genie is out of the bottle.

          • (Score: 2) by quietus on Wednesday February 28, @07:07PM (5 children)

            by quietus (6328) on Wednesday February 28, @07:07PM (#1346691) Journal

            It would be better, for one, as it is the habit -- I assume -- of a security professional to check the SANS news letter for vulnerabilities; while it is not so much a habit to scan the whole of GitHub, GitLab and other places for open source programs exploiting security vulnerabilities. So many hours in a day, eh?

            • (Score: 1) by khallow on Thursday February 29, @02:47AM (4 children)

              by khallow (3766) Subscriber Badge on Thursday February 29, @02:47AM (#1346743) Journal

              It would be better, for one, as it is the habit -- I assume -- of a security professional to check the SANS news letter for vulnerabilities; while it is not so much a habit to scan the whole of GitHub, GitLab and other places for open source programs exploiting security vulnerabilities.

              Looks like SANS didn't have any trouble [sans.org] hearing about the project.

              SSH-Snake Network Traversal Tool is Being Abused

              Threat actors have been using a recently-released network mapping tool for malicious purposes. [...]

              • (Score: 2) by quietus on Thursday February 29, @09:50AM (3 children)

                by quietus (6328) on Thursday February 29, @09:50AM (#1346770) Journal

                On February 22, yes. The tool was released in early January.

                • (Score: 1) by khallow on Thursday February 29, @01:01PM (2 children)

                  by khallow (3766) Subscriber Badge on Thursday February 29, @01:01PM (#1346790) Journal
                  Still not seeing the supposed problem. SANS learned of it, checking your box. Let's consider an alternate scenario. Said programmer uses a SANS channel to communicate their result. A five eyes informant or a Russian mob plant) learns of this and the programmer gets the treatment, including all their equipment and data seized. Maybe even seize the programmer too. Now, someone has exclusive access to this tool and the programmer may be in deep trouble too.
                  • (Score: 2) by quietus on Thursday February 29, @03:19PM (1 child)

                    by quietus (6328) on Thursday February 29, @03:19PM (#1346808) Journal

                    SANS learned of it, checking your box.

                    More than a month later. How long do you wait with patches to your operating system?

                    As to the rest of your reply, about five eyes informants and such: maybe you spend too much time on the Internet.

                    • (Score: 1) by khallow on Friday March 01, @04:44AM

                      by khallow (3766) Subscriber Badge on Friday March 01, @04:44AM (#1346906) Journal

                      More than a month later. How long do you wait with patches to your operating system?

                      Hopefully you had patched the system more than a month earlier, right?

    • (Score: 3, Insightful) by maxwell demon on Monday February 26, @05:40AM

      by maxwell demon (1608) on Monday February 26, @05:40AM (#1346278) Journal

      This tool doesn't take advantage of any vulnerabilities, it just uses all the routes you yourself put into your system. Its stated purpose is to map those routes.

      If you think hackers didn't already use those routes when hacking into your systems, you are delusional. They may not have used a tool for that (then again, they might have written their own tool), but they surely did it by hand.

      --
      The Tao of math: The numbers you can count are not the real numbers.
(1)