​How attackers revived an ancient bug to destroy targets

Attackers are using a 12-year old open source bug to recruit an army of millions of internet-connected devices to launch powerful traffic attacks against targets.

Researchers at Akamai have discovered that online criminals are using a bug that was addressed more than a decade ago is now causing Internet of Things (IoT) devices to sling junk traffic at select targets.

The attacks rely on IoT devices deployed with default configurations, such as not requiring a password for connections using the Secure Shell (SSH) protocol, or factory-set credentials that are shared among potentially millions of devices.

Attacks seen by Akamai have used video surveillance equipment such as CCTV cameras and digital video recorders (DVRs), satellite antenna kit, home routers, and network attached storage devices.

Akamai says the compromise of these devices is linked to a 12-year old bug in OpenSSH, a widely-used set of tools maintained by the OpenBSD project for encrypting traffic on the web.

It calls the bug “SSHowDowN Proxy”, however notes the issue is not due to a flaw in OpenSSH, but rather default configurations that allow the devices to be used as a proxy for sending malicious traffic.

Most internet users probably aren’t familiar with the name Akamai, but likely enjoy faster access to sites they visit thanks to its network of data centers that help websites deliver content from distant servers faster.

While Akamai is better known as a content deliver network (CDN), in recent years it’s seen faster revenue growth in services that cover customers from distributed denial of service (DDoS) attacks that use junk traffic, typically corralled from hijacked servers, PCs and other devices.

The company provided DDoS protection to krebsonsecurity.com, a blog operated by cybercrime reporter, Brian Krebs. However it recently quit providing protection to the site due the cost of mitigating an attack on Krebs’ site that was launched via a network of hundreds of millions of compromised IoT devices, such as surveillance cameras.

Shortly after Krebs unmasked two people behind an Israel-based “stresser” or DDoS-for-hire service, the site came under an attack that peaked at 600Gbps, believed to be the largest on record. The compromised IoT devices used in the attack were deployed with default configurations.

Eventually Google, which earned $75bn last year compared to Akamai’s $2bn, stepped in to help Krebs via its freedom of expression protection service Project Shield.

The scale of the attack on Krebs’ site raised new questions about IoT devices and the difficulties associated with securing them.

As security expert Bruce Schneier noted of the attack, DDoS is not new, but the case represented a market failure that required government intervention.

“What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own,” he wrote.

A more detailed report of SSHowDowN Proxy is available here on Akamai’s website.

Join the CSO newsletter!

Error: Please check your email address.

Tags Akamai Technologiescyber attackscyber criminalstraffic attacksInternet of Things (IoT)bugs and security failuresSSH softwarecyber securityDDoS attacksakamai

More about GoogleOpenBSDSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place