Lexumo, a provider of automated service for continuously monitoring Internet of Things (IoT) code for critical open source vulnerabilities, announced that its cloud-based platform has been constantly protecting customers from the SSHowDowN vulnerability (CVE-2004-1653) – prior to Akamai’s recent announcement.
The Akamai reports show that hackers are now exploiting the 12-year old OpenSSH vulnerability to mount mass-scale attacks from millions of compromised IoT devices, including routers, cable modems, satellite TV equipment, and IP-connected cameras, DVRs and NAS (Network Attached Storage) devices.
The attacks create unauthorized SSH tunnels which are then used to route malicious traffic against victim sites while hiding the attackers’ identities. Attackers also use the devices as beachheads to launch internal attacks against corporate networks. The compromised devices are being used for mounting attacks against a multitude of Internet targets and Internet-facing services, such as HTTP, SMTP and Network Scanning; and mounting attacks against internal networks that host these connected devices.
The report from Akamai’s Threat Research team highlighted how millions of Internet-connected (IoT) devices were being used as the source for web based credential stuffing campaigns. The firm found evidence that these IoT devices were being used as proxies to route malicious traffic due to some default configuration weaknesses in their operating systems.
While this has been reported before, the vulnerability has resurfaced with the increase of connected devices. Akamai reiterated that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of Internet-connected devices, which is actively being exploited in mass scale attack campaigns against Akamai customers.
End users must change factory-default credentials of any Internet-connected device. Unless required for normal operation, completely disable the SSH service on any Internet-connected device. If SSH is required, put “AllowTcpForwarding No” into sshd_config. Consumers must also consider establishing inbound firewall rules preventing SSH access to IoT devices from outside of a narrowly trusted IP space, such as own internal network, and establishing outbound firewall rules in place for IOT devices at the network boundary, preventing tunnels established from resulting in successful outbound connections.
Device vendors must avoid shipping Internet-connected devices with undocumented accounts; disable SSH on devices unless absolutely required for normal operations; force users to change factory default account credentials after initial installation; configure SSH to disallow TCP Forwarding; and provide a secure process for end-users to update sshd configuration so that they may mitigate future vulnerabilities without having to wait for a firmware patch.
Lexumo uses graph analytics and machine learning developed for DARPA to precisely identify public vulnerabilities such as Heartbleed, Shellshock (Bashdoor), and SSHowDowN in IoT code. The platform also provides detailed instructions for remediating vulnerabilities in order to avoid their exploitation by cyberattackers. The company was recently recognized as an IoT Company to Watch and a Machine Learning Startup to Watch.
“Cyberattackers look for the path of least resistance – and vulnerabilities that have been around for years are a great place to start,” said Richard Carback, PhD, co-founder and Chief Architect at Lexumo. “Unlike with zero days, information about public open source vulnerabilities is broadly available via public message boards and email lists. Many IoT devices are particularly vulnerable because they haven’t been designed with security in mind, so there’s a good chance this type of attacker technique will become significantly more popular in the future. It would seem like a minimum standard of due care for manufacturers to use automation to ensure they’re not shipping devices with vulnerabilities like SSHowDowN.”
The impact of shipping insecure IoT devices was also illustrated a few weeks ago when cyberattackers exploited vulnerabilities in 1.5 million IoT devices to generate the world’s most powerful Distributed Denial of Service (DDoS) attack to date. The attack successfully disabled the website of well-known security researcher Brian Krebs. Cyberattackers also leveraged their massive botnet army to launch a separate DDoS attack on European ISP OVH that reached nearly one terabit per second (Tbps).