Pages

17 October, 2016

Akamai warns of IoT risk via unpatched vulnerability in OpenSSH

Akamai Technologies, the global content delivery network (CDN) service provider, has found that Internet of Things (IoT) devices to remotely generate attack traffic.

Akamai researchers Ory Segal and Ezra Caltum from the company’s Threat Research team have identified a recent spate of attacks whereby attackers are using Internet of Things (IoT) devices to remotely generate attack traffic using a 12-year old vulnerability in OpenSSH, which Akamai is calling SSHowDowN Proxy. OpenSSH is a set of security-related network-level utilities based on the Secure Shell (SSH) protocol.

Akamai stresses that this is not a new type of vulnerability or attack technique, but rather a continued weakness in many default configurations of Internet-connected devices. These devices are now actively being exploited in mass-scale attack campaigns against Akamai customers.

The Threat Research Team has observed SSHowDowN Proxy attacks originating from the following types of devices:
  • CCTV cameras, network video recorder (NVR), and digital video recorder (DVR) devices (video surveillance)
  • Satellite antenna equipment
  • Networking devices (e.g. routers, hotspots, WiMax, cable and ADSL modems)
  • Internet-connected network-attached storage devices

Other devices could be susceptible as well, Akamai said.

Compromised devices are being used for:
Mounting attacks against a multitude of Internet targets and Internet-facing services, such as HTTP, SMTP and network scanning
Mounting attacks against internal networks that host these connected devices

Once malicious users access the web administration console, they have been able to compromise the device’s data and, in some cases, fully take over the machine, Akamai said.

“We’re entering a very interesting time when it comes to distributed denial of service (DDoS) and other web attacks; ‘the Internet of Unpatchable Things’ so to speak,” explained Segal, Senior Director, Threat Research, Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

Some recommended approaches to mitigation include:
If the device offers access to alter the SSH passwords or keys, change those from the vendor defaults.
If the device offers direct file system access:

Add "AllowTcpForwarding No" into the global sshd_config file.
Add "no-port-forwarding" and "no-X11-forwarding" to the ~/ssh/authorized_ keys file for all users.
If neither option above is available, or if SSH access is not required for normal operation, disable SSH entirely via the device's administration console.

If the device is behind a firewall, consider doing one or more of the following:

Disable inbound connections from outside the network to port 22 of any deployed IoT devices
Disable outbound connections from IoT devices except to the minimal set of ports and IP addresses required for their operation.

Interested?

Akamai continues to monitor and analyse data related to this ongoing IoT threat. To learn more, download the research white paper (PDF)

posted from Bloggeroid

No comments:

Post a Comment