Attackers Targeting Linux Infrastructures with Rootkit to Steal SSH Keys
U.S.-CERT is warning of attacks targeting Linux-based infrastructures using compromised SSH keys. After access is gained to the system, local kernel exploits are used to gain root access. A rootkit is then installed to steal more SSH keys. The attack could be related to a flaw affecting Debian-based encryption keys discovered earlier this year.Hackers are launching attacks against Linux-based computing infrastructures using compromised SSH [Secure Shell] keys and installing rootkits, according to a warning by the U.S. Computer Emergency Readiness Team. According to US-CERT, the attack uses stolen SSH keys to access a system and then local kernel exploits to gain root access. At that point, a rootkit known as phalanx2 is installed.
"Phalanx2 appears to be a derivative of an older rootkit named phalanx," the US-CERT advisory reads. "Phalanx2 and the support scripts within the rootkit are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site."