Crooks are mass-scanning online sites for directories containing SSH private keys so they can break into websites with any accidentally exposed credentials.
SSH authentication can work via the classic username-password model or use key-based authentication. The latter works when admins generate an RSA encryption key pair, made of a public and private key.
The public key is placed on the server the owner wants to authenticate, while the user saves the private key in a local SSH configuration file.
Wordfence — a US-based WordPress security firm — noticed last night massive scans for folder names that hint the attacker might have been looking for SSH private keys.
Attackers looked for web directories containing the terms, or combinations of terms, such as "root," "ssh," or "id_rsa." The scans came out of the blue, as there was little activity for this type of scan before this week.
"In the past 24 hours, we have seen a new attacker start mass-scanning websites for private SSH keys," said Wordfence CEO Mark Maunder in a report published last night.
"The graph shows a massive spike in scanning activity in the past 48 hours," Maunder said. "We think this increase of activity may indicate that an attacker is having some success scanning for private keys and has decided to increase their efforts. This may indicate a common bug or operational mistake that is being made by WordPress site owners, by which private keys are being accidentally made public."
The sudden spike can also be explained by a report published at the start of the week by Venafi, a provider of identity protection services.
The company conducted a study among 410 IT security professionals and found "a widespread lack of SSH security controls."
Public bug disclosures or reports like these often trigger a reaction from the cybercriminal underground, who are as avid readers of infosec-themed sites as are security professionals.
Website owners are advised to check if they haven't accidentally uploaded their SSH private key on their public servers, or committed the SSH private key to Git or SVN repositories. Setting a passphrase to access the private SSH key also prevents an attacker from using the key, even if he manages to get his hands on it.
Image credits: Magicon, Bleeping Computer, Wordfence