#ssh keys

At its core, cybersecurity is engaged in something like a cold war with threat actors. It is not a battle of violence but rather a cycle of incursion to detection to rebuff and back again, with espionage as a tool and flipping tactics as a weapon. Sometimes the industry gets to do the incurring itself, resulting in high profile disruptions like Operation Endgame or the ongoing dismantling of Aisuru-Kimwolf. The work is never ending, because the attacks are never ending. I often state that threat actors don’t stop just because one avenue of attack is cut off; they simply find a new one.

Which is where malware-as-a-service comes into play. Brokerages, for lack of a better term, where cybercriminals can shop around and find the malware that’s right for their needs. Among these is ShadowSyndicate, a group hosting mostly ransomware-as-a-service. Detecting these groups often comes down to finding a signature or fingerprint of similar architecture or infrastructure. In this case, it’s SSH keys.

Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. It’s mostly used for remote logging and command line execution and is a legitimate function of connecting devices together. Rather than using simple plaintext passwords for authentication, it uses an encryption system. A pair of digital keys, one public, the other private. In essence, the public key is the authorized endpoint and the private key is unique to the verified user. Ransomware works by changing these keys, thereby putting new encryption on captured data and keeping it from its owner.

ShadowSyndicate offers a number of ransomware toolkits, including Cobalt Strike, MetaSploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent and Brute Ratel. I’ve covered some of these in previous reports, notably Cobalt Strike which is an exploited pentesting tool and AsyncRAT, an autonomous remote access trojan. The others are also open source exploitation or C2 tools. Over the last few years, researchers at Group-IB, with help from Intrinsec, have studied the group to determine how and where it operates. They’ve cataloged at least 20 servers used to host and provide the various ransomware toolkits, as well as a number of fingerprints indicative of the group as the ‘supplier’ to various cybercriminals.

The article I’m reporting on today, published two days ago, details a previously unreported trend: the SSH keys are often reused in rotation.

Every packet of data is logged by the device it’s traveling to and from on the internet. It’s why encryption is important to keep data secure and to know it reached its destination as intended. Obfuscation is a common tactic of malware, to make itself look like legitimate traffic so that it evades detection by anti-viral software. Knowing SSH keys is vital to preventing that evasion, since once they are known, they can be blocked. But not just that. Having these fingerprints helps cybersecurity teams trace incursions back to their origin, which is how disruptions are carried out and arrests are made. Most of the ransomwares being provided by ShadowSyndicate are actually abused forms of genuine toolkits, making it even more difficult to tell which ones are being used legitimately and which are exploited. Kudos to Group-IB and Intrinsec, you just made our jobs easier.

JavaScript and Python both have their own package repositories called npm (Node Package Manager) and PyPi (Python Package Index), respectively. They act as key centers for publishing and exchanging reusable code libraries and packages by developers. Sonatype Security Research tracks the npm registry campaign extracting Kubernetes configs and SSH keys via npm packages. Their automated system found…

RSA keys (public-private key pair) are required to authenticate your computer in order to access some resource via ssh. It helps you to avoid entering password each time you are trying to access the resources. Following is the quick way you can generate RSA keys and used it when required.

Check for already available SSH Key

        Go to Terminal (for Linux) / git bash (for windows)

cd ~/.ssh

        You can also check in the default location for windows i.e. 'C:\Users\<username>\.ssh\' folder

Generate RSA Key / SSH Key

ssh-keygen -t rsa -C "your@email_id.com"

        Gives following output:

Generating public/private rsa key pair. Enter file in which to save the key (/home/<username>/.ssh/id_rsa):

        Press Enter for default location. Then, it gives following output:

Created directory '/home/<username>/.ssh'. Enter passphrase (empty for no passphrase):

        Press Enter for no passphrase. (Passphrase is used for extra security purpose, if you enter a passphrase, you either need to re-enter you passphrase everytime ssh authentication is made or, use 'ssh-agent', a tool to manage the passphrase.)

Enter same passphrase again:

        Again, Press Enter. You will have following output.

Your identification has been saved in /home/<username>/.ssh/id_rsa. Your public key has been saved in /home/<username>/.ssh/id_rsa.pub. The key fingerprint is: bla:bla:bla:bla your@email_id.com

Congratulations! your RSA key is not successfully generated and stored in home folder.

Add Public RSA Key / SSH Key to your Account

Now, you need to copy 'public key' from RSA key pair (contents of 'id_rsa.pub' file) and paste it into your online account or server. All you need to do is:

cat ~/.ssh/id_rsa.pub

and copy the content displayed up to your email_id, then paste it where you need to. Now you are DONE.

For the first time, ssh authentication is made, the following message can be seen, go ahead and type yes and enter, then that host will be recorded in a file: known_host in ~/.ssh/ folder for later reference

The authenticity of host 'blablabla.com' can't be established. RSA key fingerprint is bla:bla:bla:.... Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'blablabla.com' (RSA) to the list of known hosts.

Why is SSH keys / RSA keys required? How does it work? Lets see, what happens and clear out the concept of ssh authentication using RSA keys...

You generate unique RSA keys pairs i.e. public key and private keys, both are by default store in separate files in .ssh folder inside home i.e. (/home/<username>/.ssh/) 'id_rsa' is private key whereas 'id_rsa.pub' is the public key. You need to copy-paste the content of id_rsa.pub (the public key) to external resources wherever required whereas keep the private key secret. Now every time you perform ssh request, ssh authentication runs during which, the public key you had pasted in external resource makes a match against the private key stored in you computer. If the authentication is successful it allows further access via ssh. Enjoy! If not, recheck you keys in 'id_rsa.pub' and paste it to the external resource.

For further details on How Public Key Cryptography Works? Go to 'Introduction' and then straight to 'how it works?' and 'Description' Section.

Uploading Personal ssh Keys to Amazon EC2 - Alestic.com

Ok, so it's not recent any more, but it still seems pretty unknown. I use PHPStorm for my IDE and needed to have a private/public key in order to connect via SFTP.