SSHowDowN Proxy attacks using IoT devices

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

Akamai’s Threat Research team has identified a recent spate of SSHowDowN Proxy attacks whereby attackers are using Internet of Things (IoT) devices to remotely generate attack traffic by using a 12-year old vulnerability in OpenSSH.

SSHowDowN Proxy attacks

The research and subsequent advisory does not introduce a new type of vulnerability or attack technique, but rather a continued weakness in many default configurations of Internet-connected devices. These devices are now actively being exploited in mass scale attack campaigns.

The Threat Research Team has observed SSHowDowN Proxy attacks originating from the following types of devices:

  • CCTV, NVR, DVR devices (video surveillance)
  • Satellite antenna equipment
  • Networking devices (e.g. Routers, Hotspots, WiMax, Cable and ADSL modems, etc.)
  • Internet connected NAS devices (Network Attached Storage)
  • Other devices could be susceptible as well.

Compromised devices are being used for:

  • Mounting attacks against any kind of Internet target and against any kind of Internet-facing service such as HTTP, SMTP and Network Scanning
  • Mounting attacks against internal networks that host these connected devices.

Once malicious users access the web administration console it is possible to compromise the device’s data and in some cases, fully take over the machine.

“We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” explained Eric Kobrin, director, Information Security, Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

Mitigation

  • Configure the SSH passwords or keys on the device and change those to passwords or keys that are different from the vendor defaults. However, this is typically not possible in the majority of Internet-connected devices
  • Configure the device’s SSH service on your device and take one or more of the following steps: Add “AllowTcpForwarding No” and “no-port-forwarding” and “no-X11-forwarding” to the ~/ssh/authorized_ keys file for all users
  • Disable SSH entirely via the device’s administration console.

If the device is behind a firewall, consider doing one or more of the following:

  • Disable inbound connections from outside the network to port 22 of any deployed IoT devices
  • Disable outbound connections from IoT devices except to the minimal set of ports and IP addresses required for their operation.
Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.