In-brief: A common configuration flaw may be behind a massive network of IoT devices used in “credential stuffing” attacks, according to the security firm Akamai.
A common configuration flaw that has been documented for more than 12 years now affects millions of devices connected to the Internet of Things, and is contributing to large and diffuse attacks aimed at social media sites and other online services, according to a report by researchers at the firm Akamai.
Akamai said in a report released Wednesday that it has observed millions of of Internet connected devices taking part in web-based “credential stuffing” campaigns, a kind of slow motion brute force attack in which attackers leverage stolen (or leaked) user name and password combinations to try to hack into accounts on a revolving list of popular sites. Typically, such low-volume attacks go unnoticed. However, Akamai’s view of more than 30% of the Internet allows it to tie such diffuse activity back to a common actor – like a single host trying to methodically log into 50,000 different web sites.
Upon investigation, Akamai realized that a well known configuration error in Secure Shell (or SSH) was to blame, allowing attackers to commandeer Internet of Things device as proxies to route malicious traffic to their desired target.
A variety of Internet-connected devices have been observed taking part in the attacks including IP enabled cameras, network video recorders, network attached storage (NAS) devices and even satellite antennas, according to Ory Segal, the Senior Director of Threat Research at Akamai.
Akamai researchers discovered the activity while researching large scale botnets made up of Internet of Things devices that have recently launched attacks on sites like Krebs on Security. “It was very interesting to us,” said Segal. “These devices were working in concert to attack multiple sites at a scale not seen before.”
Akamai has labeled the threat SSHowDowN (“showdown”). Like IoT botnets such as Mirai, which was involved with the attack on Krebs on Security, the SSHowDowN botnet was made up Internet of Things devices: broadband routers, wi-fi hotspots, NVRs, CCTV cameras, NAS devices and so on.
However, unlike traditional botnets, in which attackers build large networks of computers running the same malicious “bot” software, SSHowDowN attacks emanated from what Segal called “single use” machines – devices that would take part in an attack on a single target, and then disappear, never to be seen again. Also: the traffic coming from these devices was identical – as if it all emanated from a single source. Furthermore, attack traffic was carefully managed across the population of bots with no overlap, a kind of meticulous load balancing not often seen in traditional botnets.
“We had this idea that these devices weren’t compromised so much as they were being exploited to take part in these round robin type attacks,” he said.
Further investigation of the devices bore that out. After downloading and analyzing the firmware from a handful of the devices that were taking part in the attacks, Akamai researchers found a likely culprit. Almost all the devices used one of two SSH software packages: OpenSSH or DropBear SSH. Further, all had TCP port forwarding enabled. Furthermore, most devices shipped with default administrator credentials that hadn’t been changed. Attackers were taking advantage of the configuration flaw to launch attacks through the SSH software deamon, even though they were not logging into devices to do so, the Akamai researchers found.
As with many problems on the Internet of Things, the SSH proxy issue was an example of “failing to learn from history.” Security experts have been warning about the abuse of the TCP forwarding feature for more than a decade and urging administrators to simply change the configuration of the device to disallow TCP forwarding. However, SSH software still ships with the feature enabled and, if the Akamai research is any indication, downstream consumers of that software rarely think to disable the option.
The result now is that millions of Internet of Things devices have inherited that weak configuration and are susceptible to abuse in large scale attacks, Segal said.
“There’s no reason you should want folks hopping through IOT devices,” he said. “But I think its a matter of awareness. The (flaw) isn’t a new thing. The only thing we’ve discovered here is mass exploitation of it.”
Spammers have long used the same flaw to route spam mail through vulnerable, Internet-connected systems, Segal said. But this is the first evidence of someone harnessing the TCP forwarding flaw on IoT devices to do credential stuffing attacks.
The prospects going forward are not encouraging, he said. “The fact is, you can download a huge number of account credentials for a few dollars and start doing these round robin checks on as many websites as you can, then just wait until you connect.”