SSH private keys are being targeted by hackers who have stepped up their scanning of thousands of servers hosting WordPress websites in search of private keys. Since Monday, security researchers said they have observed a single entity scanning as many as 25,000 systems a day seeking vulnerable SSH keys to be used to compromise websites.
“What triggered our concern was a customer who notified us that they have been monitoring their live traffic and seeing scans for SSH keys,” said WordFence CEO Mark Maunder, in an interview with Threatpost. “When we examined our own honeypots we found that this was not an isolated case and that 25,000 scans were taking place in waves each day.”
Those scans began on Monday and are ongoing, Maunder said and reported in a blog post. Adversaries are using terms such as “root,” “ssh,” or “id_rsa” in hopes of finding web directories containing private SSH keys, most likely mistakenly stored on public directories.
SSH (Secure Shell) is a cryptographic network protocol most often used for secure remote logins to remote computer systems. Successful theft of a private key would give a threat actor access to any server or system where that private key is used for authentication. That risk, security experts note, is not just limited to WordPress but also Linux and Unix systems and embedded devices that also rely heavily on SSH for secure logins and connections.
“Scanning for private SSH keys in public directories is not new. But, the type of increase we are seeing is alarming,” said Justin Jett, director of audit and compliance for Plixer.
He said, seldom are good SSH security practices followed. Unlike digital certificates that expire, SSH have no expiration date and passwords are seldom changed.
“What we find is most businesses and enterprises have no idea what SSH keys are or how to manage them,” said Venafi vice president of security strategy Kevin Bocek. “SSH is unfortunately a secret of systems administrators who create them and tend to them.”
Bocek said Venafi has also seen a recent increase in scanning for SSH keys and not only on public directories, but also in Git or SVN, or subversion, repositories.
Private keys should never be stored in publicly accessible directories. However, too often admins lose track of SSH keys and host both the public and private keys online.
“Exposed SSH keys pose a serious threat to organizations. Anyone gaining access to them has the ‘keys’ to the kingdom,” Jett said.
Earlier this week a report by Venafi disclosed that companies lacked sufficient SSH security controls. A study of 410 IT security professionals by the company found 54 percent of respondents said they do not limit the locations from which SSH keys can be used. It also found 61 percent of respondents do not limit or monitor the number of administrators who manage SSH.