Ransomware and large-scale DDoS attacks tend to steal the limelight when it comes to cybersecurity. The problem is that,while companies are focused on securing their networks against the latest threat, they tend to overlook a serious underlying flaw that has the potential to cause far greater destruction: SSH keys

SSH keys are access credentials for the SSH protocol, similar to passwords, prevalent in most Fortune 500 enterprise computing environments. SSH keys grant access to critical company infrastructure and proprietary data. Stealing SSH credentials is the way attackers turn a relatively small breach into one of the large multimillion-dollar catastrophes in the news that can cause a company’s stock to tank and to miss earnings projections.


When security teams concentrate on defeating the latest type of ransomware, malware or phishing attack, it amounts to tactics in search of a strategy. According to Sun Tzu in The Art of War, this is the noise before defeat:

Strategy without tactics is the slowest route to victory.
Tactics without strategy is the noise before defeat. – Sun Tzu

Several recent attacks share a common theme. With the goal of spreading the initial breach to critical system infrastructure, attackers are after user credentials, like SSH keys. This allows an attacker to access machines that would have otherwise been immune to the malware, ransomware or phishing attack. There are many examples of this breach strategy being deployed in the news recently.

Evidence of Tampering

WikiLeaks published documents in the summer of 2017 that ostensibly came from the CIA Vault 7 breach. These documents contain user manuals for tools capable of stealing credentials and metadata from active SSH sessions. These tools can extract SSH keys and their passwords from memory while the SSH session is active. A common defense against SSH key misuse is to password-protect your keys, but an attack like this renders that technique useless. The threat of phishing tools, built by anyone or any government, that can steal credentials such as SSH keys is real. The protocol itself is still safe, but credential theft through human error, phishing or hacking is a growing issue.

As of this writing, the world’s largest cyberattack is the WannaCry ransomware attack. This attack impacted hundreds of thousands of computers in as many as 150 different countries, and a range of business segments, including healthcare, retail, government and finance. It is also now coming to light that the ransom demand was a distraction for a much more sinister and invasive attack to steal employees’ credentials. This explains why the attack seemed so sloppy in achieving its perceived goal of collecting ransom; so far, only about $129,000 has been collected by WannaCry.

There are many other examples of this type of cybercrime, such as the devastating Sony Pictures attack, where credentials were stolen to spread the initial attack.

The Value of Stolen SSH Keys

Breaching a network and stealing credentials doesn’t require sophistication or deep pockets.

The Iranian cyber espionage group known as the CopyKittens has shown far less sophistication when compared to other top hacking groups. They don’t use the latest exploits and hacks such as 0-days, and their tools are considered inferior. Yet they have still managed to exfiltrate large volumes of data from government organizations, academic institutions and IT companies across the world. They have done this by using malware that steals credentials and then uses those credentials to steal more credentials to move across the compromised network.

There are several reasons why malicious actors have been using advanced malware for years to collect SSH keys. These criminals:

  • Typically give root or administrator access, which allows installation of malware, compromising of software or even outright destruction.
  • Often grant access to credit card payment environments and financial data environments in public companies.
  • Open a long-term backdoor that can be used to spread the attack from one server to another, across nearly all servers in an enterprise, including disaster recovery data centers and backup data centers.

What’s at Stake

Enterprises are typically in possession of many more SSH keys than they have servers or user accounts. For example, in one typical financial institution, 3 million SSH keys were found granting access to 15,000 servers. That is an average of 200 keys per server. Most organizations have SSH keys granting access that is no longer necessary, not compliant, or redundant. No wonder SSH keys are an attractive target for both insider and external attackers.

As soon as one server is breached, the odds are high that the cybercriminal will find one or more private keys from that initial server. The attacker can then use these discovered private keys to login to other servers—typically more than one—and again find private keys from these servers. Repeating this quickly spreads the breach and exposes more and more of the target network.

Victory Through Strategy AND Tactics

A holistic security strategy will focus on lessening the damage a sustained attack can cause after the initial breach by protecting the credentials used to spread the attack across your network. This strategy protects your network against both external and insider threats. It makes no sense to prioritize security against ever-changing threats, such as the latest hacking exploit or malware, while leaving what the attackers are really after, credentials like SSH keys, unguarded.

The first order of business in effectively tackling SSH key management issues in your environment is to understand who has access to your most critical infrastructure. It’s important to get control of which SSH key-based access may have root access in your environment and, more importantly, how deep the transitive trust of this access extends. The question to be answered here is, “If I breach one root key, how deeply can I penetrate into the environment?

Another important point of key management is understanding which SSH key-based trusts are for interactive usage, and which are related to service accounts. Each key-based trust, regardless of its usage, should be assigned back to an individual owner in the environment to establish accountability.

A clear separation of duties is essential when SSH user key-based trusts are in use. This means having a clear understanding of what key-based connections may be running across development to production environments, and re-establishing clear IP source and command restriction accountability of all key-based access within the production environment.

Refocus Your Security

Attackers are wily; they know that getting a hold of un-managed SSH keys is the golden ticket to their target networks. Because SSH keys are the network equivalent of passwords, criminals can establish a beachhead and expand quickly across your entire environment. This is more likely to happen if you focus on the tactics of defeating the latest malware instead of creating a strategy of consistent SSH key management. The choice is yours.


To explore the value of investing in security awareness training to reduce the risk of annualized phishing attacks, check out this comprehensive research report by Aberdeen’s Derek Brink.


John Walsh is director of product marketing for SSH Communications Security

Subscribe To Our Newsletter Today and Receive the Latest Content From Our Team!

Subscribe To Our Newsletter Today and Receive the Latest Content From Our Team!

You have Successfully Subscribed!