The United States Computer Emergency Readiness Team (US-CERT) is warning Linux users that they are being actively targeted by attackers using stolen SSH keys.
Secure Shell keys lock down communication between two networked devices. They are often used for remote authentication.
Once a Linux system is compromised, the attacker gains access to the kernel and installs a new rootkit known as Phalanx2, US-CERT said in its advisory. Phalanx2 is configured to swipe additional SSH keys from the compromised system.
US-CERT is advising system administrators to examine systems where SSH keys are used, review access paths to internet facing systems and ensure that systems are fully patched.
John Bambenek a vulnerability handler with the SANS Internet Storm Center said the biggest defense is to use a passphrase with keys for remote authentication and Internet facing machines.
"Sources of compromised keys could include the weak key vulnerability in Debian-based systems a few months ago, so if you haven't updated and replaced those keys, you ought to do so now," Bambenek said in the SANS Internet Storm Center Diary.