Description

The Sysdig Threat Research Team (TRT) has discovered a new self-modifying worm called SSH-Snake, released on January 4, 2024, which poses a threat to network security. Operating as part of offensive operations, SSH-Snake autonomously utilizes SSH credentials found on a compromised system to spread across the network, focusing on creating a comprehensive map of the network and its dependencies. Detection of SSH-Snake activity can be accomplished using runtime threat detection tools like Sysdig Secure or Open Source Falco. The worm's unique feature is its self-modification during the initial run, reducing its size by removing comments, whitespace, and unnecessary functions. It autonomously searches for various types of private keys through methods such as inspecting last and arp, and parsing commands from bash history files. SSH-Snake is designed to be customizable for specific use cases and is fileless, self-replicating, and self-propagating, compatible with any device. It employs different techniques to search for private keys, including inspecting last and arp and parsing commands like ssh, scp, and rsync from bash history. Sysdig TRT identified the command and control (C2) server used by threat actors deploying SSH-Snake, maintaining a repository of files with the worm's output for each target. Filenames on the C2 server contain victim IP addresses, indicating active exploitation of known Confluence vulnerabilities for initial access. The output of SSH-Snake includes discovered credentials, target IPs, and the bash history of victims. The victim list is expanding, suggesting an ongoing operation with approximately 100 victims at the time of writing. Sysdig's runtime solution, Sysdig Secure, and its unified detection engine, Falco, play a crucial role in identifying and preventing SSH-Snake attacks.