SSHowDowN Proxy attacks – A 12-Year-Old SSH bug exposes more than 2M IoT Devices

SSHowDowN Proxy attacks – A 12-Year-Old SSH bug exposes more than 2M IoT Devices

Akamai Technologies revealed that hackers are exploiting a 12-year-old bug in OpenSSH to hack into millions of IoT devices with SSHowDowN Proxy attacks.

IoT devices are a privileged target for hackers, design flaws and wrong configurations open to the attackers. Recently we read about massive DDoS attacks powered by huge botnets powered by hundreds of thousand compromised devices.

The number of potentially exposed IoT devices is growing day by day, security experts from Flashpoint firm have recently discovered more than 500,000 vulnerable IoT devices that could be potentially recruited in the Mirai botnet.

A new research published by Akamai Technologies states that threat actors in the wild are exploiting a 12-year-old vulnerability in OpenSSH, tracked as CVE-2004-1653, to hack into millions of IoT devices.

“While this has been reported before, the vulnerability has resurfaced with the increase of connected devices. Our team is currently working with the most prevalent device vendors on a proposed plan of mitigation. We would like to emphasize that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of Internet-connected devices, which is actively being exploited in mass scale attack campaigns against Akamai customers.” states the report published by Akamai Technologies.

The new attack was dubbed by the experts SSHowDowN Proxy because attackers are able to use the compromised IoT devices as proxies for malicious traffic. The SSHowDowN Proxy attack exploits the CVE-2004-1653 flaw to enable TCP forwarding and port bounces when a proxy is in use.

Akamai confirmed that at least 11 of its customers in various industries, including financial services, hospitality, retail, and gaming have been hit with of SSHowDowN Proxy attacks.

“Given credentials for a user account, often unchanged or unchangeable in IoT deployments, an attacker can use the-D or -L flags to ssh in order to turn the victim machine into a proxy (see diagram below) The -N flag can be added to prevent launching one of the disabled shells.”


The recent SSHowDowN Proxy attacks leverage on a wide range of connected devices, including:

  • CCTV, NVR, DVR devices (video surveillance).
  • Satellite antenna equipment.
  • Networking devices (e.g. Routers, Hotspots, WiMax, Cable and ADSL modems, etc.).
  • Internet-connected NAS devices (Network Attached Storage).

Akamai estimates that over 2 Million IoT devices and networking systems have been already compromised by SSHowDowN type attacks.

Unfortunately, the vast majority of devices is exposed due to lax credential security, it is quite common to find smart objects configured with vendor default passwords or keys. Another shocking error is that some vendors still implement default and hard-coded credentials.

The attacker used the password to remotely access the IoT devices and take full control over the system.

“New devices are being shipped from the factory not only with this vulnerability exposed but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.” explained Eric Kobrin, senior director of the Akamai Threat Research team.

The first suggestion to mitigate the threat is to change the factory default credentials of your IoT device and disable, if possible, SSH services they expose.

Another defense measure could be the adoption of firewall that uses specific rules to manage SSH accesses to the devices.

Vendors of smart objects are recommended to:

  • Avoid shipping such products with undocumented accounts.
  • Force their customers to change the factory default credentials after device installation.
  • Restrict TCP forwarding.
  • Allow users to update the SSH configuration to mitigate such flaws.

There is no time to waste, it is crucial to adopt a security by design approach to protect billion of connected devices that are already surrounding us!

Pierluigi Paganini

(Security Affairs – SSHowDowN Proxy, hacking)

The post SSHowDowN Proxy attacks – A 12-Year-Old SSH bug exposes more than 2M IoT Devices appeared first on Security Affairs.

Air Force Investigating Outage Of Classified Computer System At Key Drone Base

Air Force Investigating Outage Of Classified Computer System At Key Drone Base

Air Force Investigating Outage Of Classified Computer System At Key Drone Base:


The Cyber Threat at Your Doorstep: Location-Specific Threat Intelligence


Analysis Summary

  • A location-specific cyber risk program evaluates cyber threats and risk at non-HQ locations to increase an organization’s information security.
  • Recorded Future expedites threat assessments — down to just two hours to generate an initial threat assessment for a country. Without Recorded Future, two people would need at least two months per country.
  • Recorded Future reduces workflow time from one month to one and half hours for quick, initial assessments — which is all that is needed in some cases.

“Ask anybody to name the riskiest cyber locations in the world, and chances are they’d be able to name about ten. The answers would be fairly consistent across the [information security] people you ask; but what about the other hundred and eighty-two countries out there?”

This question was posed by Lincoln Kaffenberger, a cyber security professional working at an international financial services company, during a recent webinar with Recorded Future. Kaffenberger and his team are highly focused on location-specific threat intelligence because of the company’s international operations, and also because “where you are matters.”

Organizations such as Kaffenberger’s face threats from geographically dispersed threat actor groups, as well as challenges posed by certain international governments which permit lawful communication monitoring.

Understanding the Risk of Business Travel

With offices in over 100 countries throughout the world, and employees from those locations traveling constantly, the organization has concerns about the devices used by employees during their travels and the security of the information on those devices. Sharing information about the company’s cyber threat intelligence methodology, Kaffenberger explained:

  • Why location matters when it comes to an organization’s cyber risk.
  • A framework for learning and measuring the specific cyber risk by physical location.
  • A methodology for measuring threats and risks in a way that’s empirical and standardized.
  • How Recorded Future helps them do this more quickly than before.

Kaffenberger said that, the company needed to quickly gain specific knowledge of the threats in different countries, so they could adequately prepare. Through a carefully crafted threat intelligence program incorporating Recorded Future, they were able to:

  • Lower cyber risk outside of the headquarters.
  • Raise awareness within the user population.
  • Provide situation-specific advice and tools to use to help lower risk.

Defining a Threat Assessment Methodology

Threat intelligence — as opposed to threat data, which sometimes masquerades as “intelligence” — allows companies to identify the highest-risk threats and prepare. It’s important to understand the risk in geographies that aren’t necessarily in the “top ten,” but still put the company’s data and employees at risk.

Kaffenberger explained that the first step is to assess the situation in a given country:

  • What are the political, economic, and sociological conditions?
  • What is the infrastructure like? Where are the fiber lines connected? How do they connect to the broader internet? What countries are my traffic potentially traveling through? What natural hazards exist?

Then his team gauges location-specific threat actors:

  • What threat actors operate in that country or have affected that country?
  • What special security forces operate locally?

Next the team measures the level of threat based on each threat actor group’s intent and capability. It’s a complex, challenging problem, to be sure, but Kaffenberger says it’s absolutely worth the effort, as the team has become more accurate in its threat assessments, helping lower risk to the organization, and allowing employees to work more productively and securely around the world.

After gathering and analyzing all of this critical data, Kaffenberger and his team use it to generate a threat assessment. This is where Kaffenberger and his team use Recorded Future. The Intel Cards, he says, “in a quick snapshot, give me real-time information about that threat.”

Threat Actor Intel Card

An example Recorded Future Intel Card for a threat actor.

The detail and drill-down information provides a very quick way to determine if an actor is relevant.

Once a threat assessment has been completed, Kaffenberger and his team create a risk scenario for government monitoring, APTs, hacktivists, and cyber-crime. Combining internal telemetry and external data, like that from Recorded Future, the team is able to evaluate various scenarios that might exist when the company is operating in or an executive is traveling through an at-risk geography.

Combining Internal and External Sources

The internal information gathered comes from a detailed questionnaire that allows the threat intelligence group to imagine various scenarios. They carefully consider who’s traveling where, what information the employee has or has access to that is sensitive, operations, the nature of the relationships with persons at the organizations with whom the employee is doing business, procedures, the duration of the engagement, etc. Doing so “gives us a lot of context so we can build accurate risk scenarios,” says Kaffenberger.

Building on the scenarios, the team assesses the likelihood based on the threat actors’ intentions and capabilities to execute, and then the controls the company has internally that may prevent that scenario from happening. Once they’ve mapped the actors’ actions to controls that prevent threats, the team considers the impact on the information if that scenario occurs and the impact on the organization and then maps to controls to mitigate the threats. Threat intelligence informs risk strategies, so through this detailed process, Kaffenberger and his team allow the business to operate more efficiently. They have been able to develop a consistent, standardized, and empirical process that contributes to the continued growth of the organization as a whole.

A Holistic Threat Intelligence Program

A threat program isn’t one piece or stream of data, and Kaffenberger relies on a number of tools and skilled analysts. Recorded Future is an important part of the strategy. The team uses Recorded Future to generate a quick review of groups of actors in a concerning location, set queries, then filter down through queries to view more specific information on threat actors, actors’ tactics and techniques, and where geographically the actors are operating.

Threat Actor Intel Card

Analysts can pivot from an Intel Card to six different data visualizations for additional insight.

Threat Actor Timeline

Events related to RedHack are displayed on a timeline for chronological analysis.

The Intel Cards provide additional information associated with threat vectors and methods, which allows Kaffenberger and team to aggregate all relevant information, use it for searching or further research, and display all activity on a timeline — by severity, geography, or other type in which they might be interested.

Kaffenberger says Recorded Future is “a great way to get a good snapshot in time, a very quick assessment of how things are going.” Because of how the information is stored in Recorded Future, he can also check back at intervals to learn about changes or updates. Importantly, because security does not operate in a vacuum, the threat team can hand off intelligence gained from Recorded Future to the SOC (security operations center) so analysts can monitor for any changes and quickly contextualize the information when a change has taken place

In closing, Kaffenberger said that recorded Future is a real time saver when it comes to managing their complex threat intelligence program: “When we looked at what it would take to analyze all the countries that we care about, it would take us about three to five years. Using two people, assuming about two months to get all the information for a country, Recorded Future, for an initial assessment, cuts that time down to just two hours or less.”