A publication of a report on the lack of adequate protection for SSH led to an unexpected surge of scans
Hackers scanned Web sites running WordPress in search for directories containing private SSH keys, in order to hack them with accidentally compromised credentials.
Authentication by SSH can be carried with a classical model (using the login and password), as well as with the help of keys. In the second case, the administrator generates a pair of keys (private and public keys). The private key is placed on the server that you want to authenticate. In turn, the user saves it in the local SSH configuration file.
Experts recorded an unexpected surge of website scanning for the presence of folders with specific names. Judging by the names of the folders, those who conducted the scan were interested in the private SSH keys. In particular, they scanned for “root,” “ssh” or “id_rsa” key words.
This may indicate that cybercriminals were successful in obtaining the private keys. There is a probability of a vulnerability were, website owners running on WordPress allow for an operational error, resulting in the availability of their SSH keys to third parties.
The reason for the recent surge in scans might be a recent report from Venafi. Researchers interviewed 410 IB experts and found a common lack of adequate protection measures for the SSH. As the survey showed, 61% of respondents do not limit or monitor the number of administrators managing the SSH. Only 35% of respondents use policies that prohibit SSH users from configuring their keys, leaving organizations in the dark about abuses by intruders. Only 23% change their keys once a quarter or more often. 40% do not change them at all or do it irregularly.