The dark side of the ForSSHe
In February 2014, ESET researchers from Montreal published a report on a group who compromised more than 40,000 Linux servers worldwide since 2011. This research was presented at the LCA 2015 as Operation Windigo. The modus operandi of this campaign consisted mainly in stealing login credentials through an OpenSSH backdoor called Ebury, allowing them to extend their network of compromised servers. Prior to the installation of the backdoor, operators used a recon script to collect a handful of information, including the presence of other OpenSSH backdoors on the system. In 3 years, we collected hundreds of undocumented samples matching the rules based on the signatures we extracted from the script. This talk will present the analysis we made of these samples, from the most basic ones to advanced ones involving exotic encryption algorithms, anti-logging and diverse methods of exfiltration. In order to pivot on these findings, we have setup a custom honeypot infrastructure and let the operators behind the backdoors play with it. We will present the checks they make before deploying their malware, how they install it and the lateral movements we observed so far. We will also talk about the new samples we were able to obtain thanks to this poker strike. Finally, we will give some pointers on preventing this kind of threats and how one can ensure the legitimacy of OpenSSH daemons and clients.