A recently open source network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.
“SSH-Snake is a self-modifying worm that exploits SSH credentials discovered on a compromised system to begin spreading throughout the network,” said Sysdig researcher Miguel Hernández.
“The worm automatically searches known credential locations and shell history files to determine its next move.”
SSH-Snake was first released on GitHub in early January 2024 and is described by its developer as a “powerful tool” for performing automatic network traversal using SSH private keys discovered on systems.
In doing so, it creates a comprehensive map of a network and its dependencies, helping to determine the extent to which a network can be compromised using SSH and SSH private keys from a particular host. It also supports resolving domains that have multiple IPv4 addresses.
“It is completely self-replicating and self-propagating – and completely file-free,” according to the project description. “In many respects, SSH-Snake is actually a worm: it replicates and spreads from one system to another as far as possible.”
Sysdig said the shell script not only facilitates lateral movement, but also provides additional stealth and flexibility compared to other typical SSH worms.
The cloud security firm said it observed threat actors deploying SSH-Snake in real-world attacks to harvest credentials, target IP addresses, and bash command history following the discovery of a command-and-control server (C2 ) which hosted the data.
“Using SSH keys is a best practice that SSH-Snake tries to exploit to spread,” Hernández said. “It is smarter and more reliable and will allow threat actors to reach deeper into the network once they gain a foothold.”
When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify weaknesses in their infrastructure before attackers do, urging companies to use SSH-Snake to “discover attack paths that exist – and remediate them.”
“It seems to be commonly believed that cyberterrorism suddenly ‘happens’ to systems, which only requires a reactive approach to security,” Rogers said. “Instead, in my experience, systems should be designed and maintained with comprehensive security measures.”
“If a cyberterrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, the focus should be on the people who are responsible for the infrastructure, with the aim of revitalizing the infrastructure in such a way that the compromise of a single host cannot be replicated on thousands of others.”
Rogers also called attention to “careless operations” by companies that design and implement insecure infrastructure, which can easily be detected by a simple shell script.
“If systems were designed and maintained sensibly and system owners/companies actually cared about security, the consequences of running such a script would be minimized, just as if the actions taken by SSH-Snake were performed manually by an attacker,” Rogers added.
“Instead of reading privacy policies and performing data entry, enterprise security teams concerned about this type of script taking over their entire infrastructure should perform a total rearchitecture of their systems by trained security specialists , not the ones who created the architecture in the beginning. place.”
The disclosure comes as Aqua discovered a new botnet campaign called Lucifer which exploits existing misconfigurations and flaws in Apache Hadoop and Apache Druid to group them into a network to mine cryptocurrency and mount distributed denial-of-service (DDoS) attacks.
The hybrid cryptojacking malware was first documented by Palo Alto Networks Unit 42 in June 2020, drawing attention to its ability to exploit known security flaws to compromise Windows endpoints.
About 3,000 separate attacks targeting the Apache big data stack have been detected in the past month, the cloud security firm said. This also includes those that locate sensitive Apache Flink instances to deploy miners and rootkits.
“The attacker implements the attack by exploiting existing misconfigurations and vulnerabilities in such services,” said security researcher Nitzan Yaakov.
“Apache open source solutions are widely used by many users and contributors. Attackers may see this widespread usage as an opportunity to have inexhaustible resources to implement their attacks against them.”