A pioneer in cloud native security has shed light on a long-standing but little-known threat to SSH servers. SSH tunneling allows threat actors to use SSH servers as a slave proxy and route traffic through them.
Several months of research by Aqua's Nautilus research team revealed that cybercriminals have found a way to use SSH tunneling to create proxy pools. The cybercriminals primarily aimed at spreading SPAM, but evidence of information theft or cryptomining was also found. During the investigation, Team Nautilus found numerous indications that compromised SSH servers were being offered on the dark web as part of proxy pool packages. To compromise SSH servers, cybercriminals use brute force attacks, among other things. However, during observations of its SSH honeypots, the Nautilus research team also observed campaigns making lateral moves to SSH connections.
How SSH tunneling works
SSH tunneling is a commonly used method that creates secure and encrypted network connections between two servers. This allows data to be transferred over an untrustworthy network. The main purpose is to create a secure communication channel between a local and a remote host, which can then be used to tunnel various network protocols and services.
Cybercriminals have different goals when taking over SSH servers. One use for criminals is the distribution of SPAM, usually through web application exploitation, account takeover, or malware. Cybercriminals have now apparently found ways to compromise SSH servers and run their SPAM campaigns using SSH tunneling through the compromised SSH servers of their unsuspecting victims. Furthermore, the criminals are targeting information on the servers. Domain lookup requests attempting to retrieve “Whois” data, as well as geolocation requests seeking information about IP addresses, were observed. We also noticed API requests directed to various services, including the Steam API. Steam is a gaming website, and it appears that these requests are aimed at collecting information about different users. Cryptomining activities and script kiddies were also observed.
Threat of SSH tunneling
Attackers can gain complete control of a server via compromised SSH access. This can lead to significant impacts. For example, a compromised SSH server can damage the reputation of an IP address, which can lead to IP address bans that disrupt outbound email, data, or other traffic. A company's reputation can also suffer due to its association with fraudulent or malicious activity. Therefore, this type of attack can have a negative impact on businesses even without a data breach.
As always, malicious behavior should be identified as early as possible. Because SSH tunneling targets SSH servers that are part of a company's cloud-native infrastructure, defense is only as good as the security of the cloud-native environment. A Cloud Native Application Protection Platform (CNAPP) can be used to detect misconfigurations in SSH servers as well as malicious behavior.
precautions
These are additional recommendations to ensure the security of affected environments:
- Impede you unnecessary SSH access.
- Use Network monitoring tools to block or restrict inbound and outbound traffic.
- Use strong, unique passwords or key-based authentication for SSH access.
- Implement a multi-factor authentication (MFA) to increase SSH security.
- Monitor SSH logs for unusual activity or multiple failed login attempts.
- Update and patch Use SSH software regularly to eliminate known vulnerabilities.
- Consider the use of SSH certificate-based authentication to increase security.
- You can dEasily block port tunneling by changing: “AllowTCPForwarding no”.
About Aqua Security Aqua Security is the largest pure cloud native security provider. Aqua gives its customers the freedom to innovate and accelerate their digital transformation. The Aqua platform provides prevention, detection, and response automation across the application lifecycle to secure the supply chain, cloud infrastructure, and ongoing workloads—regardless of where they are deployed.