SSH snake steals SSH keys

Sicherheit (Pexels, allgemeine Nutzung)[German]Warning about the Snake worm, which is designed to steal SSH keys. The SSH-Snake malware was discovered by the Sysdig Threat Research Team (TRT). The self-modifying worm uses SSH credentials discovered on a compromised system to spread throughout the network. The worm automatically scans known locations for credentials and shell history files.


The malware is actively used by threat actors. It is smarter and more reliable, which enables attackers to penetrate further into a network once they have gained a foothold. The SSH worm Snake attempts to exploit the basic recommendation to use SSH keys to spread across the network. It is also file less, which can make static detection more difficult.

The colleagues from Bleeping Computer warned about SSH-Snake in this article a few days ago. The worm is available as open source on Github . I received a comment from Kevin Bocek, Chief Innovation Officer at Venafi, from an agency, which addresses the issue as follows:

SSH-Snake could have serious consequences given the high privileges that SSH keys enjoy. SSH snake was developed with the intention of helping organizations find gaps in their defenses. However, it is a double-edged sword if SSH keys are not managed effectively. The worm is capable of modifying and exploiting SSH credentials itself, and could become very dangerous in the hands of attackers. SSH keys do not expire like other machine identities, and they are often misunderstood. This means that a compromised identity can be misused for a long time – months or even years – without an organization finding out about it, making it a goldmine for opportunists.

An attacker armed with SSH snake could easily penetrate networks, intercept connections and gain access to the corporate infrastructure. Its subtle code modifications make it virtually undetectable.

Research shows that in 2020, more than a third (37%) of CIOs surveyed said they had no visibility into the whereabouts of SSH on their networks. Given the increasing use of SSH in cloud environments, containers and automated workflows, this figure is likely to be even higher than it is today. This lack of visibility is worrying, according to security vendors, considering that these critical machine identities are used everywhere from firewalls and routers to Unix or Linux systems.

Kevin Bocek says: "To combat threats that could come from tools like SSH Snake, organisations need to have an overview of all their machine identities. Then they can set and enforce policies that automate the rotation of machine identities that may leave them unprotected."


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *