Published on March 23rd, 2017 | by Akshay Nayak
Blacklisted Shell Games
It’s always amazing to see what we uncover during an SS8 BreachDetect risk assessment. BreachDetect was recently deployed in the customer’s environment to analyze network traffic, detect previously unknown threats and pinpoint any compromised devices-of-interest.
What Did SS8 BreachDetect Uncover?
One of the key discoveries uncovered was: SSH Sessions from blacklisted threat actors
SS8 BreachDetect identified attempts to gain access to a system inside the network over the Secure Shell (SSH) protocol. SSH typically is used for logging into remote machines and executing commands.
By analyzing incoming sessions, our system identified applications of interest and the actors involved. Further investigation of the actor’s history and reputation concluded that the intent was most likely malicious.
Allowing incoming sessions poses a major security risk and places additional stress on system security. In this instance, the server was resetting the connection due to the threat actor exhausting the number of password guesses allowed at a time.
Evaluating the Threat
It is quite common for SSH to be poorly configured on most devices by using a weak username/password pair, or in some cases no authentication at all. If an attacker can guess or brute-force the password using a giant list, then they can gain access to the machine.
In some cases, an attacker can get root access immediately, but in other cases, they may have to escalate privileges. Once root access is obtained, the infected machine can be used as a pivot to gain access to other machines on the network.
Another way the infected machine can be used is as a zombie or part of a giant botnet controlled by an attacker, which in turn, can be used to perform DDoS (Distributed Denial of Service) attacks. This method was employed by a hacking group known as SSHPsychos who aggressively brute-forced thousands of IPs on the internet using a large password list and installed a DDoS rootkit inside the compromised machines.
This was a quick snapshot of the SS8 analysis, which highlighted some key discoveries, and the visibility that exists in a live environment.
Curious about your network vulnerability? Sign up today to get your own free Risk Assessment.
Akshay Nayak is a Threat Researcher at SS8. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.