Attackers Targeting Linux Infrastructures with Rootkit to Steal SSH Keys

U.S.-CERT is warning of attacks targeting Linux-based infrastructures using compromised SSH keys. After access is gained to the system, local kernel exploits are used to gain root access. A rootkit is then installed to steal more SSH keys. The attack could be related to a flaw affecting Debian-based encryption keys discovered earlier this year.

Hackers are launching attacks against Linux-based computing infrastructures using compromised SSH [Secure Shell] keys and installing rootkits, according to a warning by the U.S. Computer Emergency Readiness Team.

According to US-CERT, the attack uses stolen SSH keys to access a system and then local kernel exploits to gain root access. At that point, a rootkit known as phalanx2 is installed.

"Phalanx2 appears to be a derivative of an older rootkit named phalanx," the US-CERT advisory reads. "Phalanx2 and the support scripts within the rootkit are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site."

The attacks could be related to a flaw that was discovered earlier this year in the random number generator in Debian's OpenSSL package. The flaw makes cryptographic material guessable.

US-CERT recommends administrators identify and examine systems where SSH keys are used as part of automated processes and encourages users to use the keys with a password to reduce the risk if the key is compromised. If a compromise is confirmed, disable key-based SSH authentication to the affected system whenever possible.

Detailed information on detecting phalanx2 can be found in the US-CERT advisory.