nice trick. from the defender’s side, the most obvious lesson here is don’t rely on copying mutable state around, whether by hand or through Ansible. any piece of config is potentially security-relevant and whatever auditing and deployment practices you have need to apply to everything.
I find the wording quite misleading. There is no infection. They just use a standard feature that people used for a decade to restrict keys and run commands on remote hosts. Who would have guessed that you can do malicious things if you can run arbitrary commands…
yeah, it is not ideal wording. the benefit from an attacker’s perspective is that it’s a subtle way to get persistence after a successful intrusion (without needing a rootkit). I do think the post makes that fairly clear but the headline isn’t great.
This is the cambridge dictionary level definition of what is going on, and the de facto way ‘infection’ has been used in infosec since at least the days ‘viruses’ were being talked about (so mid eighties) and broadly for that matter (host, file, binary, registry, …) infected by (…) and also the same terminology EDR tools use to this day.
Piggybacking on standard features to hide in plain sight is very much a desired trait and a kind of misuse to definitely consider when introducing, as you put it, a ‘standard feature’. I did not know about this property of OSSH keyfiles and consider it an anti-feature big enough that I will absolutely patch it out on the few machines I still run OSSH on.
This one is great and definitely goes into both my red and blue teaming arsenals – even more-so now. High entropy blocks of data is suspect in ‘text files’ but absolutely expected in key files. Techniques published by the likes of THC, Phrack etc. very quickly become common practice.
nice trick. from the defender’s side, the most obvious lesson here is don’t rely on copying mutable state around, whether by hand or through Ansible. any piece of config is potentially security-relevant and whatever auditing and deployment practices you have need to apply to everything.
The dangers of rsyncing dotfiles …
I find the wording quite misleading. There is no infection. They just use a standard feature that people used for a decade to restrict keys and run commands on remote hosts. Who would have guessed that you can do malicious things if you can run arbitrary commands…
yeah, it is not ideal wording. the benefit from an attacker’s perspective is that it’s a subtle way to get persistence after a successful intrusion (without needing a rootkit). I do think the post makes that fairly clear but the headline isn’t great.
This is the cambridge dictionary level definition of what is going on, and the de facto way ‘infection’ has been used in infosec since at least the days ‘viruses’ were being talked about (so mid eighties) and broadly for that matter (host, file, binary, registry, …) infected by (…) and also the same terminology EDR tools use to this day.
Piggybacking on standard features to hide in plain sight is very much a desired trait and a kind of misuse to definitely consider when introducing, as you put it, a ‘standard feature’. I did not know about this property of OSSH keyfiles and consider it an anti-feature big enough that I will absolutely patch it out on the few machines I still run OSSH on.
This one is great and definitely goes into both my red and blue teaming arsenals – even more-so now. High entropy blocks of data is suspect in ‘text files’ but absolutely expected in key files. Techniques published by the likes of THC, Phrack etc. very quickly become common practice.