Request demo
September 6, 2019

Malicious SSH client steals credentials masked as a DNS query

Alert Logic researchers have discovered a malicious Secure Shell (SSH) client that uses Domain Name System (DNS) queries to transport Secure Shell login credentials which are stolen when an unsuspecting user provides them on the compromised client computer when connecting to Secure Shell servers. For more details on this malware, please visit Alert Logic’s page. 

SSH.COM Tectia products are not affected

First things first: SSH.COM products Tectia® SSH Client/Server and Tectia® SSH Server for IBM z/OS are not affected. Nor are legitimate open source versions of the protocol. While this issue is not a vulnerability in the Secure Shell protocol itself, this kind of malware could be used to replace (or wrap) any SSH client if the client computer is compromised. And there are very good reason hackers are using these types of methods to get their hands on SSH login credentials. 

Why are SSH credentials so coveted by hackers?

There are many reasons why the SSH credentials are a jackpot for nefarious individuals.

  1. Since Secure Shell credentials often come with powerful, system-level privileges (root), they also grant access to highly sensitive information (credit card data, health data, personally identifiable customer data, etc).
  2. Alternatively, they open doors to critical IT environments, the network infrastructure and other mission-critical system components.
  3. SSH traffic is encrypted, since the protocol was designed to protect sessions from prying eyes. In the wrong hands, however, this traffic can go undetected by your existing security implementations, such as Network Operations Center (NOC), Security Operations Center (SOC) or standard Privileged Access Management (PAM) solutions.
  4. As if this wasn’t enough, depending on the power level of the Secure Shell credentials, bad actors can self-provision new access credentials that allow them to hop from server to server and to cover even more ground inside the network.

Since SSH credentials have the potential to grant access to valuable information that can be sold or otherwise exploited or can give the power to shut down the entire network of a company, they are particularly lucrative targets for attackers. In fact, one of the main goals of hackers might be to penetrate the security perimeter to get their hands on just one SSH key, which is a widely-used access credential in the Secure Shell protocol. Therefore, we expect to see more exploits in the future that aim to trick the user to reveal sensitive information as part of normal operation.chess-433071_1920

Taking control of the access to your environment

Antivirus vendors are now racing to flag files related to this attack as malicious, so the usual ‘keep your Antivirus up-to-date’ applies. We also recommend that you conduct a thorough investigation of your environment to determine whether or not you have been compromised. However, this is just one example of an exploit that utilizes DNS to exfiltrate sensitive data, so you might want to consider not only monitoring but also blocking outgoing DNS traffic to unknown DNS servers in your firewall. Naturally, this won’t help if the attacker has compromised also a legitimate domain from the list of top 1 million domains for his or her attack server, but the most blatant exploit attempts would be stopped.

This might also be a good time to rotate any passwords, or better yet get rid of the passwords or permanent access credentials altogether, and allow only strictly controlled access to your Secure Shell servers.

We also couldn't resist to take this opportunity to promote our solutions that help you to stay a step ahead of the game, depending on your setup and needs.

1) Client-to-server connections

To thwart exploit attempts like these, Tectia SSH products can be integrated with a challenge-response MFA (Multi Factor Authentication) or configured to use X.509 v3 certificates on the client computer. For added security and control, the certificate used can be on a smart card instead of a disk, to access the Tectia SSH Servers on a variety of Linux, Unix, mainframe, and Windows platforms. For more information, please see the SSH.COM Tectia product page.

2) Complex Secure Shell environments in large enterprises

A full-fledged public key infrastructure (PKI) defines the set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryptions. However, this is often feasible only in large enterprises that have control over all aspects of the environment and users. If your environment is large, it usually has various Secure Shell implementations already in place. Furthermore, since SSH connections between and to servers are made using SSH key pairs, the number of servers has increased year after year and this process has been going on for a long time - even decades, the result is that a big organization might have accumulated millions of keys! Sometimes, as many as 90% of these connections are untracked and you do not even know what credentials are used to access what and from where. Our Universal SSH Key Manager® and Risk Assessment would be the place to start to regain control. For more information, please see the SSH.COM UKM product page.

3) Small and growing enterprises with hybrid environments

What if you have no control over the policies on the client-side or even where the legitimate connections originate from? What if you have no means nor the time to educate your Secure Shell users but you still need to grant them shell access while ensuring the access credentials to your multi-cloud (AWS, Azure, GCP, OpenStack) and existing on-premises servers cannot be stolen from your privileged user?

The solution for this is SSH.COM PrivX, a Zero Trust Privileged Access Management solution, which ensures you control all aspects of the sessions - without anyone even handling SSH keys that traditionally are used to establish these sessions. Your users cannot be tricked to reveal secrets they do not know. For more information, please see the SSH.COM PrivX product page.

If you are unsure where to get started, don’t hesitate to contact us. We are the company behind the SSH protocol and are here to help you on your journey towards robust security posture.

PS. To get started on your journey towards reducing insider risk, gaining compliance and taking better control of your own business, you could also take a look at our From permanent credentials to ephemeral certificates white paper.


Miikka Sainio

Miikka guides the software architecture and development at SSH. He has over 20 years of experience in IT industry, building teams and developing products in startups and large enterprises.

Other posts you might be interested in