This article will explain the ACSIA alert called "reverse SSH attack".
Explaining the reverse SSH attack
A "reverse SSH attack" is a technique where an attacker establishes a connection from the victim's computer (the target) to the attacker's system, using the SSH (Secure Shell) protocol. This approach is opposite to the usual way of using SSH, where a user connects from their computer to a remote server.
Example of a "reverse SSH attack":
Let's consider a company with a secure internal network. Each employee has a computer that is connected to the company's network, and the IT team has set up stringent firewall rules to prevent unauthorized access.
An attacker outside the company's network wants to gain unauthorized access to the company's internal systems and sensitive data. However, due to the strong firewall and security measures in place, direct attacks against the company's computers are challenging.
To bypass the firewall and establish a foothold within the company's network, the attacker decides to use a "reverse SSH attack."
The attacker first compromises a public-facing web server that belongs to the company. They exploit a vulnerability in the server's software to gain unauthorized access and control over it.
Once inside the web server, the attacker installs a malicious program that listens for incoming connections using the SSH protocol. This program sets up a reverse SSH tunnel, creating a path for communication between the compromised web server and the attacker's system.
Next, the attacker sets up their system to wait for the reverse SSH connection from the compromised web server. When the connection is established, the attacker now has a direct channel to the company's internal network, as the connection is initiated from within the network, bypassing the firewall.
With this reverse SSH connection, the attacker can now move laterally within the company's network, accessing other devices and sensitive data. They can explore the network, escalate privileges, and potentially cause significant damage.
The "reverse SSH attack" technique allowed the attacker to circumvent the company's perimeter defenses and gain unauthorized access to the internal network.
ACSIA alerts you when a reverse SSH attack is performed on your infrastructure.