An open-source penetration testing tool called SSH-Snake is being leveraged by threat actors to target victims using vulnerable business software.
SSH-Snake was designed by security engineer Joshua Rogers and published on GitHub on Jan. 4, 2024. Rogers explained in a post on his website that the tool is designed to automate the process of searching for and using SSH private keys to move from system to system, as well as visually map the SSH connections throughout a network.
"I created SSH-Snake because I thought it would be interesting to make and slightly challenging to build using bash," Rogers told SC Media in an email. "I also really wanted to create beautiful artworks and visual representations of hacked systems - which I succeeded in doing - because I consider myself an artist more than a hacker."
Threat actors were discovered using the network traversal tool for offensive operations by the Sysdig Threat Research Team, which published its findings in a blog post Tuesday.
The attackers exploited known vulnerabilities, including multiple Confluence flaws, for initial access into systems in order to deploy SSH-Snake. Confluence is a remote team collaboration and management software offering from Atlassian. The SSH-Snake tool was used to retrieve outputs of victim IP addresses, SSH credentials and bash histories, according to Sysdig. This intel could potentially be used for future cyberattacks.
Sysdig discovered a growing list of about 100 victims of the campaign after uncovering the threat actors’ command and control (C2) server. Sysdig Director of Threat Research Michael Clark and Sr. Threat Research Engineer Miguel Hernandez told SC Media in an email that the attackers currently appear to be focused on financial gain through the use of cyptominers.
“However, in the past we have seen attackers deploy cryptominers and also steal intellectual property or conduct other malicious activities,” Hernandez said. “With the deep access they can gain through the use of SSH-Snake, they could have many options depending on what they discover.”
Rogers said SSH-Snake "simply automates what a human can already do" and that the focus on its use by cybercriminals is "misdirected."
"Instead, the focus should be on organisations that refuse to take security seriously, and reward those that negligently build infrastructure which can be taken over with a simple shell script," Rogers told SC Media. "There's no secret sauce, tricks, or exploits utilised by SSH-Snake: it simply capitalises on security mis-architecture."
Fileless SSH-Snake an ‘evolutionary step’ in network traversal
The SSH-Snake bash script automates discovery of SSH private keys and hosts, and is unique in its ability to self-modify, essentially shrinking itself upon deployment.
All unnecessary functions, whitespace and comments are removed from the code after its initial execution, allowing it to remain completely fileless as it stealthily traverses the network, despite its initial large size of more than 1,250 lines.
SSH-Snake uses several methods to search for SSH credentials and hosts at various locations, including bash history files, where ssh, scp and rsync calls be parsed and their relevant contents extracted.
The tool also acts as a worm, self-replicating when it accesses a new destination to repeat the key searching process. The script can also be customized to enable and disable specific commands, and is designed to work on any device, Sysdig noted.
SSH-Snake’s automated traversal process provides a more useful map of connections between systems than previous manual processes, which Rogers says were similar to “jumping between servers with SSH keys like it was a Super Mario game.”
The automatic process is useful for penetration testers and system administrators to better understand their network infrastructure, but it can also be abused by adversaries, as Sysdig notes.
“SSH-Snake is an evolutionary step in the malware commonly deployed by threat actors. It is smarter and more reliable which will allow threat actors to reach father into a network once they gain a foothold,” the researchers wrote in their blog post.
Confluence, ActiveMQ vulnerabilities exploited to spread SSH-Snake
Several critical vulnerabilities in business software – with CVSS scores between 9.8 and 10 – are being targeted by threat actors for initial access to execute SSH-Snake. Most of these vulnerabilities are in Atlassian Confluence Servers and Data Centers, although the campaign is not necessarily exclusive to these targets.
“Our initial discovery of their activities occurred through a vulnerable ActiveMQ system, so they are not limiting themselves to a single type of vulnerable software,” Hernandez said.
Sysdig provided SC Media with this list of known vulnerabilities being exploited by attackers using SSH-Snake for post-exploitation network traversal:
- CVE-2019-3396: Confluence Widget Connector
- CVE-2021-26084: Confluence OGNL Injection
- CVE-2022-26134: Confluence OGNL Injection
- CVE-2023-22515: Confluence Broken Authorization
- CVE-2023-22518: Confluence Improper Authorization
- CVE-2023-22527: Confluence Template Injection
- CVE-2023-46604: Apache ActiveMQ
All of these vulnerabilities are known to have been exploited in the past; for example, Confluence CVE-2022-26134 was targeted by Iranian state-sponsored threat group APT33 in a campaign discovered last September and ActiveMQ CVE-2023-46604 was exploited by ransomware gang HelloKitty shortly after its disclosure last October.
Sysdig’s blog post offers guidance for using the open-source Falco cloud native runtime security tool to help detect the use of SSH-Snake on an organization’s network. The post outlines the specific Falco rules available to detect the threat.
"At the moment, I'm not aware of the size of the infrastructures that have been breached (of the 100 organizations). It would be interesting to see how far the snake has slithered," Rogers said. "If I was an organization that had been deeply compromised by SSH-Snake, I would look to security professionals to assist in a complete re-architecture of their systems, as the original architects would have clearly failed if their mission was to create a sane, resilient, and secure infrastructure."
Penetration testing tools beneficial despite abuse by malicious actors
SSH-Snake is far from the first legitimate cybersecurity tool to be abused by bad actors, and the tool received positive recognition in the days following its release, as Rogers noted in a follow-up blog post. The SSH-Snake GitHub repository had 1,200 “stars,” 17 watchers and 75 forks as of Thursday afternoon.
“Threat actors will always have tools to accomplish their goals even if none are published openly. The open publication of tools like SSH-Snake might save threat actors some time, but leveraging these tools makes them more detectable,” Hernandez told SC Media. “Also, by making these tools public, defenders have the opportunity to learn how they work and see how their defenses hold up.”
Rogers also points out that SSH-Snake itself helps organizations prevent malicious SSH-Snake infection.
"For any infrastructure owners or maintainers worried about their systems being taken over by SSH-Snake, I implore them to utilize SSH-Snake themselves in their own infrastructure to discover the attack paths that exist - and fix them."
One notable use of a penetration testing tool used by threat actors is the use of Fortra’s Cobalt Strike by ransomware groups. “Cracked” versions of the adversary simulation software were used in at least 68 ransomware attacks against healthcare organizations in 19 countries, Microsoft reported last April.
Another example is the use of the commercial offensive security tool Brute Ratel by the ALPHV/BlackCat ransomware group and other criminal actors, after a version of Brute Ratel’s code was leaked in September 2022.
Research published by Kaspersky in 2020 found that 30% of successful cyberattacks in 2019 involved the misuse of legitimate monitoring and management tools such as PowerShell, PsExec and SoftPerfect Network Scanner.
Updated Feb. 24, 2024 with comments from Joshua Rogers.
