Page 19 - Cyber Defense eMagazine - September 2017
P. 19

by anyone or any government, that can steal credentials such as SSH keys is real. The protocol
               itself is still safe, but credential theft through human error, phishing or hacking is a growing issue.

               The  biggest  cyberattack  in  the  world  to  date  is  the  WannaCry  ransomware  attack.  This  attack
               impacted hundreds of thousands of computers in as many as 150 different countries and a range
               of business segments including healthcare, retail, government and finance. It is also now coming
               to light that the ransom demand was a distraction for a much more sinister and invasive attack to
               steal  employee’s  credentials.  This  explains  why  the  attack  seemed  so  sloppy  in  achieving  its
               perceived goal of collecting ransom; so far only about $129,000 has been collected by WannaCry.

               Stealing employee credentials is not a new strategy. There are other examples of this, such as the
               devastating Sony Pictures attack where credentials were again stolen to spread the initial attack.

               Why Steal SSH Keys?

               An attacker doesn’t need to be sophisticated or well funded to breach and steal credentials. The
               Iranian cyber espionage group known as the CopyKittens has shown far less sophistication when
               compared to other top hacking groups. They do not use the latest exploits and hacks such as 0-
               days, and their tools are considered inferior. Yet they have still managed to exfiltrate large volumes
               of data from government organizations, academic institutions and IT companies across the world.
               They have done this by using malware that steals credentials and then uses those credentials to
               steal more credentials to move across the compromised network.

               Advanced malware and hackers have been collecting SSH keys for years because:


                   •  SSH keys provide a long-term backdoor, and they can be used to spread the attack from
                       one server to another, across nearly all servers in an enterprise, including disaster recovery
                       data centers and backup data centers.
                   •  The  keys  often  grant  access  to credit  card  payment  environments and financial  data
                       environments in public companies.
                   •  The  keys  commonly  provide root or administrator access,  thus  allowing  installation  of
                       malware, compromising of software or even outright destruction.


               The Danger of Poor Management

               Most large organizations have far more SSH keys than they have servers or user accounts. For
               example,  in  one  typical  financial  institution,  3  million  SSH  keys  were  found  granting  access  to
               15,000 servers. That is an average of 200 keys per server. Most organizations have SSH keys
               granting access that is no longer necessary, not compliant, or redundant. No wonder SSH keys are
               an attractive target for both insider and external attackers.


               Once an attacker breaks into one server, it is highly likely that the attacker will find one or more
               private keys from that initial server. The attacker can then use these discovered private keys to
               login to other servers—typically more than one—and again find private keys from these servers.
               Repeating this, quickly spreads the breach and exposes more and more of the target network.






                    19   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   14   15   16   17   18   19   20   21   22   23   24