SSH-Snake Worm

A network mapping tool named SSH-Snake, which was made open source, has been repurposed by fraud-related actors for their attack operations. SSH-Snake functions as a self-modifying worm, utilizing SSH credentials obtained from a compromised system to propagate across the targeted network. This worm autonomously scans recognized credential repositories and shell history files to identify its subsequent actions.

The SSH-Snake Worm Spreads Across Victims’ Networks

Released on GitHub in early January 2024, SSH-Snake is characterized by its developer as a potent tool designed for automated network traversal through the use of SSH private keys discovered on various systems.

The tool generates a detailed map of a network and its dependencies, aiding in the assessment of potential compromises through SSH and SSH private keys originating from a specific host. Additionally, SSH-Snake has the capability to resolve domains with multiple IPv4 addresses.

Functioning as a completely self-replicating and fileless entity, SSH-Snake can be likened to a worm, autonomously reproducing and spreading across systems. This shell script not only facilitates lateral movement but also offers enhanced stealth and flexibility compared to conventional SSH worms.

The SSH-Snake Tool Has been Exploited in Cybercrime Operations

Researchers have identified instances where threat actors have employed SSH-Snake in actual cyber attacks to collect credentials, target IP addresses, and bash command history. This occurred subsequent to the identification of a Command-and-Control (C2) server hosting the acquired data. The attacks involve the active exploitation of known security vulnerabilities in Apache ActiveMQ and Atlassian Confluence instances to establish initial access and deploy SSH-Snake.

SSH-Snake exploits the recommended practice of using SSH keys to enhance its spread. This approach, deemed more intelligent and reliable, enables threat actors to extend their reach within a network once they establish a foothold.

The developer of SSH-Snake emphasizes that the tool provides legitimate system owners with a means to identify weaknesses in their infrastructure before potential attackers do proactively. Companies are encouraged to leverage SSH-Snake to uncover existing attack paths and take corrective measures to address them.

Cybercriminals Often Take Advantage of Legitimate Software for Their Nefarious Purposes

Cybercriminals frequently exploit legitimate software tools for their unsafe activities and attack operations due to several reasons:

• Camouflage and Stealth: Legitimate tools often have legitimate uses, making them less likely to attract attention from security monitoring systems. Cybercriminals leverage this aspect to blend in with normal network activity and avoid detection.
•  Avoiding Suspicion: Security measures are often designed to identify and block known malicious software. By using widely used and trusted tools, cybercriminals can fly under the radar and reduce the likelihood of triggering security alerts.
•  Built-in Functionality: Legitimate tools typically come with numerous functionalities that can be exploited for unsafe purposes. Cybercriminals leverage these built-in capabilities to execute various stages of an attack without the need to deploy additional, potentially detectable, malware.
•  Living off the Land (LotL) Tactics: Cybercriminals employ a tactic known as Living off the Land, where they use existing tools and utilities present on a system to carry out unsafe activities. This involves using tools such as PowerShell, Windows Management Instrumentation (WMI), or other native applications to avoid the need for downloading external malware.
•  Evasion of Security Defenses: Security solutions often focus on identifying and blocking known malware signatures. By using legitimate tools, cybercriminals can bypass signature-based detection mechanisms, making it harder for security systems to recognize and prevent their activities.
•  Abusing Remote Administration Tools: Remote administration tools, which are essential for legitimate system management, can be abused by cybercriminals for unauthorized access, lateral movement, and data exfiltration.

To counter these threats, organizations need to implement a multi-layered security line of action that includes continuous monitoring, behavior-based detection, user education, and keeping software and systems updated to mitigate vulnerabilities that could be exploited by cybercriminals.