黑客利用开源SSH-Snake工具进行网络攻击

A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.

最近公开的一个名为SSH-Snake的网络映射工具已被威胁行为者重新利用以进行恶意活动。

"SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network," Sysdig researcher Miguel Hernández said.

“SSH-Snake是一种自修改的蠕虫，利用在受Compromise的系统上发现的SSH凭证来开始在整个网络中传播自身，” Sysdig研究员Miguel Hernández说。

"The worm automatically searches through known credential locations and shell history files to determine its next move."

“该蠕虫会自动搜索已知的凭证位置和shell历史文件，以确定接下来的操作。”

SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a "powerful tool" to carry out automatic network traversal using SSH private keys discovered on systems.

SSH-Snake于2024年初首次在GitHub上发布，由其开发者描述为使用在系统上发现的SSH私钥进行自动网络遍历的“强大工具”。

In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports resolution of domains which have multiple IPv4 addresses.

在这个过程中，它创建了网络及其依赖关系的全面地图，帮助确定从特定主机开始使用SSH和SSH私钥可以牵涉到网络的程度。它还支持解析具有多个IPv4地址的域。

"It's completely self-replicating and self-propagating – and completely fileless," according to the project's description. "In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can."

根据该项目的描述，SSH-Snake是完全自我复制和自我传播的，完全无文件，实际上是一种蠕虫：它会复制自身并将自身传播到尽可能远的系统中。

Sysdig said the shell script not only facilitates lateral movement, but also provides additional stealth and flexibility than other typical SSH worms.

Sysdig表示，该shell脚本不仅促进了横向移动，还比其他典型的SSH蠕虫提供了更多的隐秘性和灵活性。

The cloud security company said it observed threat actors deploying SSH-Snake in real-world attacks to harvest credentials, the IP addresses of the targets, and the bash command history following the discovery of a command-and-control (C2) server hosting the data.

云安全公司表示，它观察到威胁行为者在真实世界的攻击中部署SSH-Snake来获取凭证、目标的IP地址以及在发现托管数据的命令控制（C2）服务器后的bash命令历史。

"The usage of SSH keys is a recommended practice that SSH-Snake tries to take advantage of in order to spread," Hernández said. "It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold."

“SSH密钥的使用是一个建议的实践，SSH-Snake试图利用它来传播，” Hernández表示。“这更加聪明和可靠，这将使威胁行为者一旦获得立足点就能进一步深入网络。”

When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify weaknesses in their infrastructure before attackers do, urging companies to use SSH-Snake to "discover the attack paths that exist – and fix them."

在接受评论时，SSH-Snake的开发者Joshua Rogers告诉The Hacker News，该工具为合法的系统所有者提供了一种在攻击者之前识别基础设施弱点的方法，敦促公司使用SSH-Snake来“发现存在的攻击路径并加以修复。”

"It seems to be commonly believed that cyber terrorism 'just happens' all of a sudden to systems, which solely requires a reactive approach to security," Rogers said. "Instead, in my experience, systems should be designed and maintained with comprehensive security measures."

“人们普遍认为网络恐怖主义突然发生在系统中，这仅需要对安全采取一种被动的方法，” Rogers说。“相反，在我的经验中，系统应该设计和维护全面的安全措施。”

"If a cyber terrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, focus should be put on the people that are in charge of the infrastructure, with a goal of revitalizing the infrastructure such that the compromise of a single host can't be replicated across thousands of others."

“如果一个网络恐怖主义者能够在您的基础设施上运行SSH-Snake并访问数千台服务器，重点应放在负责基础设施的人员身上，目的是通过更新基础设施使得单个主机的妥协无法在成千上万台其他主机上复制。”

Rogers also called attention to the "negligent operations" by companies that design and implement insecure infrastructure, which can be easily taken over by a simple shell script.

Rogers还指出了公司设计和实施不安全基础设施的“疏忽操作”，这些操作可以很容易地被简单的shell脚本接管。

"If systems were designed and maintained in a sane manner and system owners/companies actually cared about security, the fallout from such a script being executed would be minimized – as well as if the actions taken by SSH-Snake were manually performed by an attacker," Rogers added.

“如果系统以合理的方式设计和维护，并且系统所有者/公司确实关注安全性，那么执行这种脚本的后果会被最小化——以及如果由攻击者手动执行SSH-Snake所采取的行动。”

"Instead of reading privacy policies and performing data entry, security teams of companies worried about this type of script taking over their entire infrastructure should be performing total re-architecture of their systems by trained security specialists – not those that created the architecture in the first place."

“与阅读隐私政策和执行数据输入不同，担心这种类型的脚本接管整个基础设施的公司的安全团队应该由经过培训的安全专家进行整体系统重新架构——而不是那些最初创建架构的人员。”

The disclosure comes as Aqua uncovered a new botnet campaign named Lucifer that exploits misconfigurations and existing flaws in Apache Hadoop and Apache Druid to corral them into a network for mining cryptocurrency and staging distributed denial-of-service (DDoS) attacks.

这一披露发生在Aqua发现了一个名为Lucifer的新的僵尸网络活动，该活动利用Apache Hadoop和Apache Druid中的配置错误和现有缺陷，将它们拢到一个网络中进行挖掘加密货币和进行分布式拒绝服务（DDoS）攻击。

The hybrid cryptojacking malware was first documented by Palo Alto Networks Unit 42 in June 2020, calling attention to its ability to exploit known security flaws to compromise Windows endpoints.

这种混合加密挖矿恶意软件最早由Palo Alto Networks Unit 42于2020年6月记录，注意到它能够利用已知的安全漏洞来妥协Windows端点。

As many as 3,000 distinct attacks aimed at the Apache big data stack have been detected over the past month, the cloud security firm said. This also comprises those that single out susceptible Apache Flink instances to deploy miners and rootkits.

在过去一个月中，云安全公司检测到针对Apache大数据堆栈的多达3000次不同攻击。这也包括那些专门针对易受攻击的Apache Flink实例部署挖矿程序和rootkits的攻击。

"The attacker implements the attack by exploiting existing misconfigurations and vulnerabilities in those services," security researcher Nitzan Yaakov said.

“攻击者通过利用这些服务中已存在的配置错误和漏洞来实施攻击，”安全研究人员Nitzan Yaakov表示。

"Apache open-source solutions are widely used by many users and contributors. Attackers may view this extensive use as an opportunity to have inexhaustible resources for implementing their attacks on them."

“Apache的开源解决方案被许多用户和贡献者广泛使用。攻击者可能将这种广泛使用视为一个机会，以在它们上面实施攻击的不竭资源。”

原文始发于微信公众号（知机安全）：黑客利用开源SSH-Snake工具进行网络攻击