US-CERT Confirms Attacks Using Stolen SSH Keys

According to US-CERT, phalanx2 bears certain similarities to an older rootkit called "phalanx," and is set up to steal SSH keys and send them to attackers, who then turn around and use them to break into other sites.

This type of attack can be easily detected and blocked by network or host based IPS, according to Andrew Plato, president at Anitian Enterprise Security, a security specialist in Beaverton, Ore.

"Any company with live hosts on the Internet should have IPS. It's a proven security technology that can bridge the gap between the outbreak of a new attack and the time to patch systems," Plato said.

US-CERT is advising organizations to identify and examine systems where SSH keys are used in automated processes and to examine Internet-facing systems to ensure that their patches are up to date.

If a system turns up that has been compromised by Phalanx2, US-CERT recommends that administrators disable key-based SSH authentication where possible; perform an audit of all SSH keys on compromised systems; and alert key owners that their keys may have been compromised.

There has been a recent uptick in the number of Linux-related attacks, and a fairly large number of Linux users still believe Linux is immune from a security standpoint, Plato said.

"When they experience their first compromise, it can be a real eye opener to the reality of Linux security. A poorly managed or secured Linux system isn't any safer than a poorly managed Windows box," Plato said.

Last week, Red Hat released a security advisory and an update to OpenSSH packages relating to its Red Hat Enterprise Linux software after hackers attempted to break into servers belonging to the company and the community-supported Fedora Linux project earlier this month.

In May, security expert Luciano Bello warned of a critical vulnerability in the way SSH keys are generated, an issue that affected Debian systems and Debian-based machines, including Ubuntu, its variants, and Knoppix.