Trickbot Updates Password Grabber Module
First seen in 2016, Trickbot is malware that steals system information, login credentials, and other sensitive data from vulnerable Windows hosts. Trickbot is a modular malware, and one of its modules is a password grabber. In November 2019, we started seeing indicators of Trickbot’s password grabber targeting data from OpenSSH and OpenVPN applications.
Kevin Bocek, VP of security strategy and threat intelligence at machine identity protection provider Venafi:
“Cyber attackers know that SSH keys can provide complete control over devices, and the latest Trickbot malware is especially proficient at stealing these sensitive credentials. SSH keys need to be rotated frequently and the only way to do this effectively is with automation, but many organizations, including banks, never change them. In fact, most businesses have no idea when, or if, their SSH keys are being exploited because they allow bad actors to remain undetected. Even worse, many SSH keys never expire so they can be used to create long term backdoors that allow attackers to gain access to networks for months or years. The vast majority of security teams have extensive password change policies, and organizations have spent billions on human identity management. Although SSH keys are used for many kinds of privileged access, most organizations do not have security controls in place to minimize the risks connected with them. Without broader recognition of the pivotal role SSH keys can play in attacks and the implementation of security controls to protect them, organizations will remain at risk to attacks like Trickbot, and the theft of SSH keys, will continue.”