This article is more than 1 year old

Decade-old SSH vuln exploited by IoT botnet armies to hose servers

Internet of Unpatchable Things

Hackers are exploiting a 12-year-old vulnerability in OpenSSH to funnel malicious network traffic through Internet of Things (IoT) gizmos, Akamai warns.

The SSHowDowN Proxy attack [PDF] exploits a lingering weakness in many default configurations of internet-connected embedded devices. Compromised gadgets are being abused to fire tidal waves of junk packets and traffic that exploits vulnerabilities against Akamai customers and others.

Crucially, the commandeered gear masks the source of the malicious traffic as the packets appear to originate from the weak devices. This is good for miscreants to hide behind, especially if they can use this tunneling to attack internal networks from external gear.

IoT gear infected with the Mirai botnet malware was used to thoroughly smash the website of security researcher Brian Krebs offline.

Ryan Barnett, principal security researcher at Akamai, explained that the SSHowDowN Proxy attack threat is distinct from the Mirai IoT botnet. Mirai exploited weak default passwords in CCTV cameras and other gear to gain control of systems, whereas malware exploiting SSHowDowN attacks builtin SSH servers to route bad traffic.

“This research is not related to Mirai,” Barnett told El Reg. “This is about new abuse of a known weakness/vulnerability in SSH.”

Basically, CVE-2004-1653 is a default configuration in old versions of OpenSSH that can be exploited to forward ports, effectively bouncing packets from the IoT device. You have to know a correct username and password combo to pull this off – and there are plenty of default admin credentials out there to use – and even if the box is set up to prevent direct logins (such as using /sbin/nologin in /etc/passwd) it is still possible on vulnerable kit to bypass this and forward ports.

“Each one of these [port forwarding and weak default passwords] individually, isn’t as bad, but we are seeing that attackers are now leveraging them together to exploit the IoT devices as SOCKS proxies and conduct large-scale Credential Stuffing attack campaigns,” Barnett explained.

“The data we are sharing is demonstrating that these weaknesses can be leveraged for real damage.”

SSHowDowN Proxy attacks are originating from the following types of devices: CCTV, NVR, DVR devices (video surveillance), satellite antenna equipment, networking kit (eg, routers, hotspots, WiMax, cable and ADSL modems) and internet connected Network Attached Storage devices.

Ory Segal, senior director of threat research at Akamai, added: “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

Folks can mitigate against the risk of unwittingly becoming an agent in attacks by changing SSH passwords from vendor defaults or disabling SSH entirely via the device’s administration console, among other suggestions.

Enterprise sysadmins have the option of tightening up firewall port filtering rules in order to guard against attack, as explained in more detail in a blog post by Akamai here. ®

More about


Send us news

Other stories you might like