Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SSHowDowN Proxy attacks – A 12-Year-Old SSH bug exposes more than 2M IoT Devices

Akamai Technologies revealed that hackers are exploiting a 12-year-old bug in OpenSSH to hack into millions of IoT devices with SSHowDowN Proxy attacks. IoT devices are a privileged target for hackers, design flaws and wrong configurations open to the attackers. Recently we read about massive DDoS attacks powered by huge botnets powered by hundreds of […]

SSHowDowN Proxy attacks – A 12-Year-Old SSH bug exposes more than 2M IoT Devices

Akamai Technologies revealed that hackers are exploiting a 12-year-old bug in OpenSSH to hack into millions of IoT devices with SSHowDowN Proxy attacks.

IoT devices are a privileged target for hackers, design flaws and wrong configurations open to the attackers. Recently we read about massive DDoS attacks powered by huge botnets powered by hundreds of thousand compromised devices.

The number of potentially exposed IoT devices is growing day by day, security experts from Flashpoint firm have recently discovered more than 500,000 vulnerable IoT devices that could be potentially recruited in the Mirai botnet.

A new research published by Akamai Technologies states that threat actors in the wild are exploiting a 12-year-old vulnerability in OpenSSH, tracked as CVE-2004-1653, to hack into millions of IoT devices.

“While this has been reported before, the vulnerability has resurfaced with the increase of connected devices. Our team is currently working with the most prevalent device vendors on a proposed plan of mitigation. We would like to emphasize that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of Internet-connected devices, which is actively being exploited in mass scale attack campaigns against Akamai customers.” states the report published by Akamai Technologies.

The new attack was dubbed by the experts SSHowDowN Proxy because attackers are able to use the compromised IoT devices as proxies for malicious traffic. The SSHowDowN Proxy attack exploits the CVE-2004-1653 flaw to enable TCP forwarding and port bounces when a proxy is in use.

Akamai confirmed that at least 11 of its customers in various industries, including financial services, hospitality, retail, and gaming have been hit with of SSHowDowN Proxy attacks.

“Given credentials for a user account, often unchanged or unchangeable in IoT deployments, an attacker can use the-D or -L flags to ssh in order to turn the victim machine into a proxy (see diagram below) The -N flag can be added to prevent launching one of the disabled shells.”

sshowdown-proxy-attack

The recent SSHowDowN Proxy attacks leverage on a wide range of connected devices, including:

  • CCTV, NVR, DVR devices (video surveillance).
  • Satellite antenna equipment.
  • Networking devices (e.g. Routers, Hotspots, WiMax, Cable and ADSL modems, etc.).
  • Internet-connected NAS devices (Network Attached Storage).

Akamai estimates that over 2 Million IoT devices and networking systems have been already compromised by SSHowDowN type attacks.

Unfortunately, the vast majority of devices is exposed due to lax credential security, it is quite common to find smart objects configured with vendor default passwords or keys. Another shocking error is that some vendors still implement default and hard-coded credentials.

The attacker used the password to remotely access the IoT devices and take full control over the system.

“New devices are being shipped from the factory not only with this vulnerability exposed but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.” explained Eric Kobrin, senior director of the Akamai Threat Research team.

The first suggestion to mitigate the threat is to change the factory default credentials of your IoT device and disable, if possible, SSH services they expose.

Another defense measure could be the adoption of firewall that uses specific rules to manage SSH accesses to the devices.

Vendors of smart objects are recommended to:

  • Avoid shipping such products with undocumented accounts.
  • Force their customers to change the factory default credentials after device installation.
  • Restrict TCP forwarding.
  • Allow users to update the SSH configuration to mitigate such flaws.

There is no time to waste, it is crucial to adopt a security by design approach to protect billion of connected devices that are already surrounding us!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SSHowDowN Proxy, hacking)