Ukrainian Blackout Malware operated by the state-sponsored BlackEnergy gang, first made news in December 2015, when it took down the entire power grid of the Ivano-Frankivsk region in Ukraine. This malware specifically targets the SSH (Secure Shell) keys, which is used to build secure communication lines between two or more machines. However, researchers at cybersecurity firm Venafi, have now seen a surge in its spread owing to its sale on the Dark Web in the form of Malware-as-a-Service (MaaS).
Upgradation of Blackout Malware
An SSH key acts as a login credential in SSH protocol-based communication. It is like having usernames and passwords, but these keys are primarily used for automated processes and for implementing single sign-on by system administrators. Thus, a compromise of even a single SSH key can give attackers unrestricted root access to critical systems, which further gives a backdoor entry into spreading malware or sabotaging the processes.
A recent upgrade in the Blackout Malware now adds attackers’ SSH keys to the victims’ machine in a list of authorized key files which then trusts the attackers’ key for carrying out secure communication. Other techniques include applying brute force on weak SSH authentication to gain access and move laterally across networks. Venafi said that, over the past year, these techniques have been observed and verified by TrickBot, cryptomining campaign CryptoSink, Linux Worm and Skidmap.
Yana Blachman, a threat intelligence specialist at Venafi, said, “SSH keys can be potent weapons in the wrong hands. But until recently, only the most sophisticated, well-financed hacking groups had this kind of capability. Now, we’re seeing a ‘trickle-down’ effect, where SSH capabilities are becoming commoditized. What makes this commoditization so worrying is that if an attacker is able to backdoor a potentially interesting target, they may monetize this access and sell it through dedicated channels to more sophisticated and sponsored attackers, such as nation-state threats for the purpose of cyber espionage or cyber warfare.”
In order to combat such threats, organizations need to have cyber analytics and threat intelligence in place to plug these holes in the organization’s infrastructure. Additionally, provide utmost protection to all authorized SSH keys in the organization and prevent them from being targeted by attackers.