Ymir Vigfusson
July 1, 2025
Administrators, developers, and SREs have relied on Secure Shell (SSH) for over 20 years as the de‑facto remote‑access standard. Whether deploying code, managing cloud infrastructure, or troubleshooting production systems, SSH delivers direct, scriptable control at scale.
Attackers exploit it for the very same reasons. The moment an adversary breaches your perimeter, SSH turns into their reconnaissance, execution, exfiltration, and automation platform. They no longer need custom malware, just a foothold and an open session.
Authentication gates the door, but the real threat hides inside the encrypted session.
SSH provides exactly what it was designed to deliver: unrestricted remote control of critical systems. It is the quintessential administrator tool for fixing unexpected issues on servers, the “known unknown” issues that are hard to address through more controlled channels.
This strength of SSH, encrypted, low‑friction communication, also makes it an attacker’s favorite tool. The Sophos 2025 Threat Report confirms that remote‑access protocols such as SSH rank among the most abused vectors for attacker persistence, lateral movement, and data theft.
Traditional controls focus on who logs in. Such controls trust that the underlying communications protocols, exposed to anyone who can connect to the SSH server at a network level, are invulnerable. However, the moment the prompt appears, an attacker’s automation takes over, and security visibility disappears.
In 2024, SSH (Secure Shell) remained a significant attack vector, particularly due to vulnerabilities in OpenSSH, which is widely used for secure remote management of Linux systems. Despite the software having relatively few vulnerabilities over its long history compared to typical remote services, a critical vulnerability known as CVE-2024-6387 (dubbed "regreSSHion") was identified, affecting over 4.8 million internet-exposed OpenSSH servers. This flaw allows remote, unauthenticated code execution with root privileges and has been actively exploited in the wild.
Imagine an adversary who acquires valid SSH credentials. They rarely type in all commands by hand; they deploy or paste in tried-and-true scripts that sweep through the environment, hopping from host to host, escalating privileges, and exfiltrating data.
A simple loop harvests credentials, expands footholds, and blends seamlessly with legitimate traffic. These are the very same automation techniques administrators use daily, turned against the organization.
Secure file transfer programs such as SCP, SFTP, and FTPS ride on the same encrypted tunnel on port 22 that powers interactive SSH sessions. Once attackers possess credentials, they pivot from command automation to wholesale data theft—quietly pulling source code, configuration archives, or database dumps straight through the firewall.
Conventional DLP tools won’t necessarily decrypt or inspect these transfers, and network sensors register only routine SSH traffic.
Risk: Until every command inside the session is verified as intended by a human, attackers retain an undetected highway for exfiltration.
Keystrike’s human‑attestation model blocks non‑human input during file‑transfer operations by design. The product team is validating extended coverage across additional SSH utilities; meanwhile, recognizing the risk is critical to any defense strategy.
Despite most current controls, the risk is persistent for SSH as a protocol and method to exploit systems.
Encryption hides commands, scripts run at machine speed, and alerts arrive only after the damage is done.
Another critical incident in 2024 involved a supply chain attack where a backdoor was planted in XZ Utils, an upstream dependency for SSH on some systems. This backdoor (CVE-2024-3094) received a CVSS score of 10 and highlighted the risk of sophisticated, hard-to-detect attacks targeting SSH infrastructure
SSH gives whomever holds the keys the ability to act — and act fast. Whether the attacker runs commands by hand or through scripts, the threat is the same: unauthorized activity inside a sensitive channel. Automation makes the threat faster, but the root issue is access without verification. Attackers exploit that trusted channel to use, exfiltrate, and escalate, one typed command at a time or thousands via a script.
Keystrike addresses the core issue: ensuring that each command in a session comes from a trusted human operator. Providing security at the human interface device (HID) level, Keystrike verifies the physical intent of every execution. Whether an attacker pastes a one-liner or attempts to automate an entire attack chain, Keystrike stops the flow if the command isn’t issued, through physical keystrokes and mouse clicks, by the human authorized for the session..
Keystrike's HID‑level attestation blocks malicious commands via SSH. Crucially, blocking happens irrespective of how the attacker managed to conjure a rogue command to the SSH server. Since attestation relies on physical intent, the method blocks automation via SSH. Senior security engineers should still layer preventive and detective measures around critical SSH workflows:
These layered controls convert SSH from an open automation channel into a governed, audit‑ready workflow that attackers cannot hijack.
Perimeter hardening and MFA stop at the login banner. SSH’s scriptability continues inside the encrypted tunnel, providing attackers with an automation superhighway. Keystrike shuts down that highway by guaranteeing that every command originates from a verified human.
Secure the session. Shut down the playground. Schedule a demo to see Keystrike in action.
Try Keystrike in Your Environment for 30 Days