Malicious SSH client steals credentials masked as a DNS query

Alert Logic researchers have discovered a malicious Secure Shell (SSH) client. It uses Domain Name System (DNS) queries to transport Secure Shell login credentials which are stolen when an unsuspecting user provides them on the compromised client computer when connecting to Secure Shell servers. For more details on this malware, please visit Alert Logic’s page. 

SSH.COM Tectia products are not affected

First things first: SSH.COM products Tectia® SSH Client/Server and Tectia® SSH Server for IBM z/OS are not affected. Nor are legitimate open-source versions of the protocol.

While this issue is not a vulnerability in the Secure Shell protocol itself, this kind of malware could be used to replace (or wrap) any SSH client if the client computer is compromised. And there are very good reasons hackers are using these types of methods to get their hands on SSH login credentials. 

Why are SSH credentials so coveted by hackers?

There are many reasons why SSH credentials are a jackpot for nefarious individuals.

1. Since Secure Shell credentials often come with powerful, system-level privileges (root), they also grant access to highly sensitive information (credit card data, health data, personally identifiable customer data, etc).

2. Alternatively, they open doors to critical IT environments, the network infrastructure, and other mission-critical system components.

3. SSH traffic is encrypted since the protocol was designed to protect sessions from prying eyes. In the wrong hands, however, this traffic can go undetected by your existing security implementations, such as Network Operations Center (NOC), Security Operations Center (SOC), or standard Privileged Access Management (PAM) solutions.

4. As if this wasn’t enough, depending on the power level of the Secure Shell credentials, bad actors can self-provision new access credentials that allow them to hop from server to server and cover even more ground inside the network.

Since SSH credentials have the potential to grant access to valuable information that can be sold or otherwise exploited or can give the power to shut down the entire network of a company, they are particularly lucrative targets for attackers.

In fact, one of the main goals of hackers might be to penetrate the security perimeter to get their hands on just one SSH key, which is a widely used access credential in the Secure Shell protocol. Therefore, we expect to see more exploits in the future that aim to trick the user into revealing sensitive information as part of normal operation.

How it impacts you

Credential theft via malicious SSH clients can have serious consequences for both individuals and organizations. When attackers gain access to your SSH credentials, they can infiltrate sensitive systems undetected. This leads to significant risks.

• Data loss is one of the most immediate threats. Attackers can steal confidential information, causing financial damage and operational disruptions. For businesses, this could mean losing customer data or intellectual property.

• Financial damage extends beyond just data loss. The costs associated with recovering from a breach are substantial. Legal fees, fines for non-compliance with regulations, and the expense of improving security measures add up quickly.

• Reputational harm is another critical impact. Trust takes years to build but only moments to destroy. Customers may lose confidence in your ability to protect their information if you suffer a breach due to compromised SSH credentials.

• For network administrators, these attacks pose additional challenges by complicating system management tasks and increasing workload significantly as they scramble to mitigate damages and secure affected systems.

What is an SSH client?

An SSH client is a software application that uses the Secure Shell (SSH) protocol to establish secure connections over a network. It allows users to access and manage remote systems securely, ensuring data integrity and confidentiality during transmission.

The primary role of an SSH client is to provide encrypted communication between two computers. This encryption protects sensitive information from being intercepted by unauthorized parties. Users often rely on SSH clients for tasks like logging into remote servers, executing commands, transferring files, and managing network infrastructure.

In personal contexts, individuals might use an SSH client to connect to their home computer while traveling or working remotely. For professionals, especially system administrators and developers, it’s a crucial tool for maintaining servers and other critical systems in various environments.

SSH clients typically include features such as key-based authentication methods for enhanced security. They also support port forwarding which enables secure tunneling of other protocols through the encrypted connection.

A common function within many SSH clients involves DNS lookup capabilities integrated with daemon processes running on the server side. These lookups help resolve hostnames into IP addresses before establishing connections.

What is a DNS query?

A DNS (Domain Name System) query is a request made by your computer to translate domain names into IP addresses. This process allows you to access websites using easy-to-remember names instead of numerical IP addresses.

When you type a web address into your browser, the DNS query begins. Your computer sends this request to a DNS server, which looks up the corresponding IP address for that domain name. For example, when you enter "example.com," the server finds its associated IP address and returns it to your device.

DNS queries are essential because they bridge human-friendly domain names with machine-readable IP addresses. There are different types of DNS queries:

1. Forward Lookup: Converts domain names into their respective IP addresses.

2. Reverse Lookup: Finds the domain name associated with an IP address using PTR records.

3. Authoritative Server Queries: These servers hold definitive information about specific domains and provide accurate responses during lookups.

Each step in this process involves various components like authoritative servers and forward entries, ensuring smooth internet navigation.

Attackers might exploit them for malicious purposes such as credential theft via mixed DNS techniques or encoding schemes within query strings.

The DNS tunneling attack mechanism

A malicious SSH client can steal credentials by disguising them as DNS queries. This method allows attackers to bypass many security measures that would otherwise detect and block suspicious activity.

The attack begins with the infection of a system through a compromised SSH client. Once installed, this rogue client captures the user's login credentials during an SSH session. Instead of sending these details directly to the attacker, which could be easily detected, it encodes them into DNS queries.

Here's how it works step-by-step:

1. Infection: The user unknowingly installs a malicious SSH client.

2. Credential Capture: During an active SSH session, the rogue client records login information.

3. Encoding Scheme: The captured data is encoded using a specific scheme designed to fit within standard DNS query strings.

4. DNS Tunneling: These encoded credentials are then sent out as part of normal-looking DNS queries.

5. Query String Manipulation: Each query string contains parts of the stolen data masked within legitimate requests for domain name resolution.

6. Mixed DNS Traffic: To avoid detection, these malicious queries are mixed with regular traffic making them harder to spot.

7. Timeout Handling: If any query fails or times out, retries are managed in such a way that they don't raise suspicion.

This process continues until all necessary credential information has been exfiltrated from the target system without triggering alarms.

By understanding this mechanism—how simple yet effective techniques like encoding schemes and DNS tunneling work—you can better appreciate why traditional security measures might miss such attacks and underscore the need for advanced monitoring solutions tailored specifically against these threats.

Taking control of the access to your environment

Antivirus vendors are now racing to flag files related to this attack as malicious, so the usual ‘keep your Antivirus up-to-date’ applies.

We also recommend that you conduct a thorough investigation of your environment to determine whether or not you have been compromised. However, this is just one example of an exploit that utilizes DNS to exfiltrate sensitive data, so you might want to consider not only monitoring but also blocking outgoing DNS traffic to unknown DNS servers in your firewall. Naturally, this won’t help if the attacker has compromised also a legitimate domain from the list of the top 1 million domains for his or her attack server, but the most blatant exploit attempts would be stopped.

This might also be a good time to rotate any passwords, or better yet get rid of the passwords or permanent access credentials altogether, and allow only strictly controlled access to your Secure Shell servers.

We also couldn't resist taking this opportunity to promote our solutions that help you to stay a step ahead of the game, depending on your setup and needs.

1) Client-to-server connections

To thwart exploit attempts like these, Tectia SSH products can be integrated with a challenge-response MFA (Multi-Factor Authentication) or configured to use X.509 v3 certificates on the client computer. For added security and control, the certificate used can be on a smart card instead of a disk, to access the Tectia SSH Servers on a variety of Linux, Unix, mainframe, and Windows platforms. For more information, please see the SSH.COM Tectia product page.

2) Complex Secure Shell environments in large enterprises

A full-fledged public key infrastructure (PKI) defines the set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryptions.

However, this is often feasible only in large enterprises that have control over all aspects of the environment and users. If your environment is large, it usually has various Secure Shell implementations already in place.

Furthermore, since SSH connections between and to servers are made using SSH key pairs, the number of servers has increased year after year and this process has been going on for a long time - even decades, the result is that a big organization might have accumulated millions of keys! Sometimes, as many as 90% of these connections are untracked and you do not even know what credentials are used to access what and from where.

Our Universal SSH Key Manager® and Risk Assessment would be the place to start to regain control. For more information, please see the SSH.COM UKM product page.

3) Small and growing enterprises with hybrid environments

What if you have no control over the policies on the client side or even where the legitimate connections originate from? What if you have no means nor the time to educate your Secure Shell users but you still need to grant them shell access while ensuring the access credentials to your multi-cloud (AWS, Azure, GCP, OpenStack) and existing on-premises servers cannot be stolen from your privileged user?

The solution for this is SSH.COM PrivX, a Zero Trust Privileged Access Management solution, which ensures you control all aspects of the sessions - without anyone even handling SSH keys that traditionally are used to establish these sessions. Your users cannot be tricked into revealing secrets they do not know. For more information, please see the SSH.COM PrivX product page.

If you are unsure where to get started, don’t hesitate to contact us. We are the company behind the SSH protocol and are here to help you on your journey towards a robust security posture.

PS. To get started on your journey towards reducing insider risk, gaining compliance, and taking better control of your own business, you could also take a look at our From permanent credentials to ephemeral certificates white paper.

FAQ

How do malicious actors use DNS data exfiltration to steal sensitive information?

Malicious actors use DNS data exfiltration by embedding sensitive information into DNS queries or responses. Since DNS traffic is often allowed to pass through network firewalls without detailed inspection, this method effectively disguises the data as normal DNS traffic, enabling stealthy data theft.

How does privileged access management play a role in strengthening cybersecurity against DNS data exfiltration?

Privileged access management (PAM) limits access to critical network resources and monitors the use of administrative permissions. By controlling and auditing who accesses sensitive data and network tools, PAM can help detect unusual activities that might indicate attempts at DNS data exfiltration.

What is reverse DNS lookup and how is it relevant to detecting data exfiltration?

A reverse DNS lookup involves querying the DNS to find the domain name associated with an IP address. It is relevant to detecting data exfiltration because unusual or unexpected reverse DNS lookup results can indicate that an IP address is being used to channel unauthorized data, suggesting potential exfiltration activities.

How can security measures be improved to prevent credential theft during SSH log-in sessions on a network?

Security measures can be improved by implementing multi-factor authentication for SSH sessions, using encrypted SSH keys, regularly updating and patching SSH software, and monitoring network traffic for abnormal SSH activity. Educating users about secure practices and the risks of phishing can also reduce the likelihood of credential theft.

How do attackers use DNS queries to hide their data infiltration efforts, and what can be done to uncover such tactics?

Attackers encode stolen data into DNS queries to blend malicious traffic with legitimate DNS traffic, making detection challenging. To uncover such tactics, organizations can employ DNS traffic monitoring, analyze query patterns for anomalies, and use advanced threat detection systems that specifically look for signs of DNS-based data exfiltration.