At the end of September 2018, the CrowdStrike® Falcon OverWatch™ team identified suspicious interactive activity on a Linux host within a customer’s network infrastructure.  An unknown actor accessed a secure shell (SSH) server through the use of valid credentials, previously obtained via unknown means. Once the actor was on the system, they elevated their privileges via the CVE-2016-5195 Linux kernel exploit (also known as “Dirty Cow”), and modified several key functions within both the SSH client and the SSH daemon (SSHD).  

The actor began by modifying two legitimate functions within the SSH client to capture and store a user’s SSH client credentials when they logged in. The functions were implemented to store the captured credentials to the following file:

PATH: /usr/share/man/man8/.../.../.Sh

The credentials were stored in the file in the following format:

<username> password:<password>\n

The actor modified a legitimate function within SSHD to enable authentication bypass and credential harvesting. The modified function first checks that the supplied password matches the “magic” password 'alleverALL'; the password is considered “magic” because when provided, it bypasses all legitimate checks within the SSH daemon, including username verification. If there is a match, the function ends and notifies the calling function that the authentication was successful. Alternately, if the entered password did not match, the modified function captured the credentials of the user to the following file:

PATH: /usr/share/man/man8/.../.../.Sd

The captured credentials are written in the following format:

<hostname> : <username> : <attempted_password>

The actor also modified three additional SSHD functions, to ensure that when a user authenticates with the “magic” password, all legitimate SSHD logging mechanisms are bypassed.

With the modifications to both the SSH client and daemon, the actor was well-established to collect valid credentials of legitimate users, as well as to persist on the system even in the face of enterprisewide credential changes.

The activity observed by the Falcon OverWatch team is indicative of the lengths a dedicated actor will go to remain entrenched within a compromised environment. The OverWatch team has repeatedly observed actors modifying systems within compromised infrastructures to suit their needs. For example, actors have been seen adding a Registry value on Windows systems to force the operating system to retain clear-text passwords in memory to ease credential theft, disabling and removing security products, and modifying the Windows firewall to allow their malware and tools access to the Internet.

Enterprisewide visibility across all systems is paramount to the early detection of the presence of a persistent adversary.  However, the ability to quickly detect their activity is of minimum value without rapid, decisive response.

Learn More
Download the 2018 Mid-Year Falcon OverWatch Report.
Visit the CrowdStrike Falcon® OverWatch web page.
Download the CrowdStrike 2020 Global Threat Report.
Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.