Ukrainian Blackout Malware at Large on Dark Web

Sophisticated backdoor malware techniques used by state-backed attackers to cripple Ukrainian power stations in 2015 are now being deployed more widely by the black hat community, Venafi has warned.

The malware in question targets SSH keys, which are designed to secure remote commands to and communications between machines. As such, they are central to securing cloud workloads, VPN connections, connected IoT devices and more.

Compromise of a single SSH key could give attackers undetected root access to mission critical systems to spread malware or sabotage processes, the security vendor warned.

It is now seeing malware adding attackers’ SSH keys to a list of authorized key files on victim machines, meaning their machine trusts the key. Other techniques include brute-forcing weak SSH authentication to gain access and move laterally across networks.

These techniques have been observed in use over the past year by crimeware botnet TrickBot, cryptomining campaign CryptoSink, Linux Worm and Skidmap, said Venafi. That’s a far cry from the relatively rare sight of a backdoored SSH server being used by the BlackEnergy gang in December 2015. That attack caused mass power outages in parts of Ukraine.

“SSH keys can be potent weapons in the wrong hands. But until recently, only the most sophisticated, well-financed hacking groups had this kind of capability. Now, we’re seeing a ‘trickle-down’ effect, where SSH capabilities are becoming commoditized,” warned Yana Blachman, threat intelligence specialist at Venafi.

“What makes this commoditization so worrying is that if an attacker is able to backdoor a potentially interesting target, they may monetize this access and sell it through dedicated channels to more sophisticated and sponsored attackers, such as nation state threats for the purpose of cyber-espionage or cyber-warfare.”

This has happened before, when the TrickBot gang were found to have been selling a “bot-as-a-service” to North Korean hackers, she claimed.

To combat such threats, organizations need to have a clear visibility of and protection for all authorized SSH keys in the enterprise, to prevent them being hijacked and to block attempts by attackers to insert their own malicious SSH machine identities into systems.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

What’s Hot on Infosecurity Magazine?