SSH is routinely abused my malware and threat actors for lateral movement.
Credential theft
Attackers harvest credentials from compromised systems using infostealers, keyloggers, memory scraping, filesystem collection, or by stealing private SSH keys and known_hosts files. Those credentials are then used to authenticate to additional hosts, increasing the attacker’s foothold.
Port forwarding
An attacker can use SSH client features (local/remote port forwarding or dynamic proxying/SOCKS) to pivot traffic through a compromised host. This enables access to internal-only services, bypasses network segmentation or perimeter controls, and can let attackers maneuver around firewall and IDS rules.
Agent hijacking
If SSH agent forwarding is enabled, an attacker who gains control of a host can use the forwarded agent socket to authenticate to other systems without ever possessing the private key file.
Privilege escalation
SSH provides remote shells; once an attacker obtains elevated privileges on a host they can access protected keys/secrets, modify SSH configuration or binaries, deploy backdoors, or create new user accounts — all of which facilitate broader lateral movement.
Some commonly-abused vulnerabilities:
Many privilege escalation vulnerabilities are specific to certain distributions, software versions, kernel versions, and configurations. the number of these exploitable flaws is staggering. as such, attackers may run automated scripts to check for the presence of these bugs to figure out how to elevate their privileges.
Examples of these include linux exploit suggester, linpeas, and linenum