February 22, 2024 at 10:51AM
The open-source pentesting tool SSH-Snake has been used to steal SSH credentials from approximately 100 organizations, leading to worm-like attacks on networks. Developed by Joshua Rogers, the tool maps network dependencies and enables hackers to compromise systems. Despite being used for malicious purposes, its fileless and self-replicating nature makes it difficult to detect.
The meeting notes provide a detailed account of the recent release of an open source pentesting tool known as SSH-Snake, developed by Australian security researcher Joshua Rogers. The tool has been used by threat actors to harvest SSH credentials from approximately 100 organizations and has worm-like capabilities, allowing it to spread across networks. Additionally, SSH-Snake can avoid detectable patterns associated with scripted attacks, making it difficult to identify through traditional means.
The tool is designed to automatically traverse networks using SSH keys harvested from local systems, and it aims to create a map of a network and its dependencies, as well as the relationships between systems connected via SSH. SSH-Snake also allows for the identification of private keys and their potential usage, providing administrators with a better understanding of their network. Furthermore, the tool can self-replicate and spread from one system to another, making it a significant concern for network security.
It’s important to note that the use of SSH-Snake by threat actors has led to an ongoing operation with approximately 100 victims having their credentials, IP addresses, and bash history harvested. The tool has been observed being used in conjunction with other vulnerabilities, such as exploiting Confluence vulnerabilities for initial network access.
Finally, the meeting notes highlight that while SSH-Snake exhibits increased stealth compared to other SSH malware, its activity can be identified using a runtime threat detection tool. Additionally, it is noted that SSH-Snake represents an evolutionary step in the malware commonly deployed by threat actors, enabling them to reach farther into a network once they gain a foothold.