Security News > 2024 > July > CRYSTALRAY hacker expands to 1,500 breached systems using SSH-Snake tool
SSH-snake is an open-source worm that steals SSH private keys on compromised servers and uses them to move laterally to other servers while dropping additional payloads on breached systems.
Previously, Sysdig identified roughly 100 CRYSTALRAY victims impacted by the SSH-Snake attacks and highlighted the network mapping tool's capabilities to steal private keys and facilitate stealthy lateral network movement.
Sysdig says CRYSTALRAY uses modified proof-of-concept exploits delivered to targets using the Sliver post-exploitation toolkit, providing another example of misuse of open-source tooling.
Sysdig says Atlassian Confluence products are likely targeted, too, based on the observed exploitation patterns that emerge from attempts against 1,800 IPs, one-third of which are in the U.S. CRYSTALRAY uses the Platypus web-based manager to handle multiple reverse shell sessions on the breached systems.
CRYSTALRAY aims to steal credentials stored in configuration files and environment variables using scripts that automate the process.
CRYSTALRAY deploys cryptominers on the breached systems to generate revenue by hijacking the host's processing power, with a script killing any existing cryptominers to maximize profit.