February 21, 2024 at 03:32PM
SSH-Snake, an open-source network mapping tool, is being used by a threat actor to stealthily search for private keys and move laterally through victim infrastructure. It was discovered by Sysdig’s Threat Research Team, who describe it as a self-modifying worm that avoids typical detection patterns, making it a more efficient and successful tool for credential discovery.
Based on the meeting notes, the key takeaways are:
1. SSH-Snake is a self-modifying worm that uses an open-source network mapping tool to search for private keys and move laterally on victim infrastructure.
2. It is designed to stealthily spread to new systems after mapping the network and is available as an open-source asset for automated SSH-based network traversal.
3. SSH-Snake takes lateral movement to a new level by being more rigorous in its search for private keys, providing greater stealth, flexibility, configurability, and more comprehensive credential discovery than typical SSH worms, making it more efficient and successful.
4. It utilizes various methods to discover private keys, including searching through directories and files, examining shell history files, parsing system logs, and examining network cache.
5. SSH-Snake has been used offensively on around 100 victims and has been confirmed to target a secure connection method widely used in corporate environments.
6. Sysdig’s Threat Research Team discovered SSH-Snake and confirmed its operational status, showing active exploitation of known vulnerabilities for initial access and deployment of the worm on endpoints.
These takeaways highlight the advanced and stealthy nature of SSH-Snake as a malware tool and its potential impact on corporate environments.