Threat actors have exploited SSH-Snake, a recently released network mapping utility, to conduct malicious operations.

“SSH-Snake is a self-modifying worm that begins to spread itself across a network using SSH credentials discovered on a compromised system,” According to Miguel Hernández, a researcher at Sysdig.

“The worm automatically searches through known credential locations and shell history files to determine its next move.”

The developer of SSH-Snake, first introduced on GitHub in early January 2024, describes it as a “powerful tool” capable of automating network traversal through the utilization of SSH private keys found on systems.

This automated process generates a comprehensive network map along with its dependencies, facilitating vulnerability assessments regarding SSH and SSH private key compromises starting from a designated host. Moreover, SSH-Snake also supports the resolution of domains with multiple IPv4 addresses.

“It propagates and replicates itself entirely on its own—completely fileless” states the project description. “In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can.”

According to Sysdig, the shell script not only facilitates lateral movement but also provides more flexibility and concealment compared to traditional SSH viruses.

In real-world attacks, threat actors have been observed employing SSH-Snake to gather information such as target credentials, IP addresses, and bash command histories, as reported by the cloud security company. This data was obtained subsequent to the identification of a command-and-control (C2) server hosting the compromised information.

“The usage of SSH keys is a recommended practice that SSH-Snake tries to take advantage of in order to spread,” Hernández stated. “It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold.”

When contacted for comment, Joshua Rogers, the developer of SSH-Snake, conveyed to The Hacker News that the tool empowers legitimate system owners to pinpoint vulnerabilities in their infrastructure before they fall prey to exploitation by attackers. Rogers strongly encourages businesses to leverage SSH-Snake to “discover the attack paths that exist – and fix them.”

“It seems to be commonly believed that cyber terrorism ‘just happens’ all of a sudden to systems, which solely requires a reactive approach to security,” Rogers stated. “Instead, in my experience, systems should be designed and maintained with comprehensive security measures.”

“If a cyber-terrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, focus should be put on the people that are in charge of the infrastructure, with a goal of revitalizing the infrastructure such that the compromise of a single host can’t be replicated across thousands of others.”

Additionally, Rogers highlighted the “negligent operations” of organizations that create and implement insecure infrastructure, making it vulnerable to compromise through a straightforward shell script.

“If systems were designed and maintained in a sane manner and system owners/companies actually cared about security, the fallout from such a script being executed would be minimized – as well as if the actions taken by SSH-Snake were manually performed by an attacker,” said Rogers.

“Instead of reading privacy policies and performing data entry, security teams of companies worried about this type of script taking over their entire infrastructure should be performing total re-architecture of their systems by trained security specialists – not those that created the architecture in the first place.”

Aqua recently unveiled a new botnet campaign named Lucifer, exploiting configuration errors and pre-existing vulnerabilities in Apache Hadoop and Apache Druid. This tactic is employed to entangle these systems in a network crafted for executing distributed denial-of-service (DDoS) attacks and cryptocurrency mining.

Palo Alto Networks Unit 42 took the lead in documenting this hybrid cryptojacking malware in June 2020, emphasizing its ability to compromise Windows endpoints by leveraging well-known security vulnerabilities.

The cloud security firm has reported detecting up to 3,000 unique attacks targeting the Apache big data infrastructure in the last month. Among these, individuals specifically target vulnerable Apache Flink instances to implant rootkits and miner software.

“The assailant executes the assault by capitalizing on pre-existing vulnerabilities and misconfigurations in those services,” explained Nitzan Yaakov, a security researcher.

“Apache open-source solutions are utilized by a substantial number of contributors and users.” Adversaries might perceive this widespread utilization as a chance to amass limitless resources in order to execute their assaults against the targets. 



Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center