Skip to main content

Hackers use SSH to control connected devices for brute-force attacks

akarnai ssh report brute force credential stuffing internet devices data center feat
Content delivery network service provider Akamai Technologies released a new report on Wednesday (PDF) stating that hackers are taking advantage of a 12-year-old vulnerability in OpenSSH to gain control of internet-connected devices for mass-scale attack campaigns. The company dubs these attacks as “SSHowDowN Proxy,” which for now seem focused on using video surveillance devices, satellite antenna equipment, network devices, and internet-connected network-attached storage units.

According to the company, these compromised devices are used as proxies to attack a number of internet-based targets and “internet-facing” services, as well as the internal networks that host them. Hackers are actually gaining control of the devices by accessing their low-level command line console that still relies on the factory-shipped default login credentials provided by the vendor.

SSH stands for Secure Shell, and is a cryptographic network protocol that provides a secure channel, enabling services like remotely accessing a desktop residing on a home network from a public Wi-Fi access point. This protects data like usernames and passwords as the information travels across the internet. But this protocol isn’t completely secure, and Edward Snowden even indicated that the NSA could decrypt some SSH traffic.

Akamai began its investigation after it noticed active malicious HTTP/HTTPS traffic stemming from a third-party Network Video Recorder device targeting customer accounts. After determining that there were no unauthorized users accessing its network, the company then listed the device’s live network connections and their associated process IDs. The results showed that someone was running SSH connections using the default “admin” credentials provided by the manufacturer.

The thing is, the admin/admin credentials, by default, only allows web-based access to the machine, and does not provide SSH-level access. Whoever accessed the NVR machine took advantage of several SSH options to get past the default credential restriction. After that, the hacker set up the device as a proxy server, which establishes a TCP connection to a legitimate server from a remote client. Thus, any attack on a network would appear to stem from the NVR machine itself.

With all of this in mind, the company turned to other internet-connected devices to see if they have the same problem. In addition to the group of devices listed above, the company also saw that many units had additional weak points where a hacker wouldn’t need credentials at all to gain access to the device. For instance, one popular router has a “root” privileged user account while a common wireless hot spot doesn’t require a password for SSH connections.

As previously stated, the capability of this attack isn’t just internet-based. SSHowDowN Proxy could be used internally on a home or office network too.

“We managed to confirm and validate the feasibility of this severe abuse-case in our lab environment, and believe that malicious users are and will continue to actively exploiting this to penetrate private networks.”

So what are hackers actually doing with these devices? In the case of Akamai Technologies, they’re trying to break into customer accounts by way of a “credential stuffing” attack. They have gained access to username/password pairs and are automatically injecting the information via brute force at the account login page.

Although the report focuses on Akamai customers, the problem extends beyond the company’s user base. Akamai suggests that consumers change the default credentials of their internet-connected devices, and to make specific changes if the device offers direct file system access. Consumers are also suggested to disable SSH if the feature is not required.

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Meta Quest 3 vs. Quest Pro: Which is right for you?
From a side view, you can see how glasses can be worn along with a Quest Pro.

Meta recently announced the Quest 3, a mid-range VR headset that matches some features of the more expensive Quest Pro. If you'd like to explore virtual reality for games, entertainment, and work, there are several points to consider before making a decision.

The operating system and app library are virtually the same. We need to examine the price, performance, image quality, comfort, and special features to determine the best VR headset and which is right for you.

Read more
Don’t miss your chance to get this 15-inch HP laptop for $300
hp 15 6 inch laptop deal may 2023 15t featured image lifestyle

If you're in the market for a cheap laptop, there's no need to only dig for the low budget options. Laptop deals help cut the price on mid-range laptops, bringing them down to budget prices. For instance, right now HP is selling their 15-inch laptop for $300 after a $160 discount. Check out the specs below, then buy one before the HP laptop sale ends.

Why you should buy the HP 15-inch laptop
Anyone seeking out one of the best budget laptops is likely to be tempted by this one. It has an AMD Athlon Silver processor along with 8GB of memory and 128GB of SSD storage. While none of that is spectacular, we often see laptops around this price with 4GB of memory or even eMMC storage instead of SSD, so that's a bonus.

Read more
Windows 11 is about to make RGB peripherals way easier to use
Switches on the Razer DeathStalker V2.

Windows 11 is finally creating a solution for the multitude of RGB apps that clutter most gaming PCs. The long-rumored feature is with Windows Insiders now through Build 23475, which Windows announced in a blog post on Wednesday.

The feature, called Dynamic Lighting, looks to unify all of the different apps and devices that use RGB lighting so you don't have to bounce between several different apps. More importantly, Microsoft is doing so through the open HID LampArray standard, which makes it compatible with a long list of devices. Microsoft says it already has partnerships with Acer, Asus, HP, HyperX, Logitech, Razer, and Twinkly to support Dynamic Lighting.

Read more