SSH-Snake Open-Source Worm Steals SSH Keys

Cloud security experts at Sysdig have issued a warning about a new open-source tool called SSH-Snake, which is being used to stealthily search for private SSH keys and move laterally within a victim’s infrastructure. Researchers describe SSH-Snake as a “self-modifying worm” that leverages SSH credentials found on compromised systems to begin spreading across the network. Unlike typical SSH worms, SSH-Snake avoids common script-based attack patterns and takes lateral movement to a new level by more thoroughly searching for private keys.

How SSH-Snake Finds Private Keys

SSH-Snake uses both direct and indirect methods to discover private keys on infected systems, including:

• Searching common directories and files where SSH keys and credentials are usually stored, such as .ssh folders and configuration files.
• Reviewing shell history files (like .bash_history and .zsh_history) for commands (ssh, scp, rsync) that may have used or referenced private SSH keys.
• Using the find_from_bash_history function to analyze bash history for commands related to SSH, SCP, and Rsync operations, which can reveal direct references to private keys, their locations, and associated credentials.
• Examining system logs and network caches (such as ARP tables) to identify potential targets and gather information that could indirectly lead to the discovery of private keys and their usage locations.

SSH-Snake’s Capabilities and Intentions

SSH-Snake appeared on GitHub in early January 2024. Its developer described it as a “powerful tool” for automatic network traversal using private SSH keys found on systems. SSH-Snake creates a complete map of the network and its dependencies, helping to determine how a network could be compromised using SSH and private SSH keys, starting from a specific host.

According to the project’s GitHub description, “It is fully self-replicating and self-propagating, and completely fileless.” The creator, Joshua Rogers, emphasizes that SSH-Snake is intended for legitimate system owners to identify weaknesses in their infrastructure before attackers do.

Rogers states, “It’s commonly believed that cyberterrorism happens suddenly and requires only a reactive approach to security. In my experience, systems should instead be designed and maintained with comprehensive security measures. If systems were developed and maintained by reasonable people, and if system owners and companies truly cared about security, the consequences of running such a script would be minimized, just as if SSH-Snake’s actions were performed manually by an attacker.”

Self-Modification and Real-World Attacks

Sysdig analysts note that one of SSH-Snake’s most interesting features is its ability to modify itself and reduce its size upon first execution. The worm removes comments, unnecessary functions, and whitespace from its code to achieve this.

Researchers report that SSH-Snake is already being used by malicious actors. They discovered a command-and-control server used by SSH-Snake operators to store collected information, including credentials and victims’ IP addresses. Hackers appear to have exploited known vulnerabilities in Apache ActiveMQ and Atlassian Confluence to gain initial access to victim networks, then deployed SSH-Snake to continue their attacks.

According to experts, this open-source tool has already been used in attacks against approximately 100 victims.