Hackers use SSH to control connected devices for brute-force attacks

akarnai ssh report brute force credential stuffing internet devices data center feat
Content delivery network service provider Akamai Technologies released a new report on Wednesday (PDF) stating that hackers are taking advantage of a 12-year-old vulnerability in OpenSSH to gain control of internet-connected devices for mass-scale attack campaigns. The company dubs these attacks as “SSHowDowN Proxy,” which for now seem focused on using video surveillance devices, satellite antenna equipment, network devices, and internet-connected network-attached storage units.

According to the company, these compromised devices are used as proxies to attack a number of internet-based targets and “internet-facing” services, as well as the internal networks that host them. Hackers are actually gaining control of the devices by accessing their low-level command line console that still relies on the factory-shipped default login credentials provided by the vendor.

SSH stands for Secure Shell, and is a cryptographic network protocol that provides a secure channel, enabling services like remotely accessing a desktop residing on a home network from a public Wi-Fi access point. This protects data like usernames and passwords as the information travels across the internet. But this protocol isn’t completely secure, and Edward Snowden even indicated that the NSA could decrypt some SSH traffic.

Akamai began its investigation after it noticed active malicious HTTP/HTTPS traffic stemming from a third-party Network Video Recorder device targeting customer accounts. After determining that there were no unauthorized users accessing its network, the company then listed the device’s live network connections and their associated process IDs. The results showed that someone was running SSH connections using the default “admin” credentials provided by the manufacturer.

The thing is, the admin/admin credentials, by default, only allows web-based access to the machine, and does not provide SSH-level access. Whoever accessed the NVR machine took advantage of several SSH options to get past the default credential restriction. After that, the hacker set up the device as a proxy server, which establishes a TCP connection to a legitimate server from a remote client. Thus, any attack on a network would appear to stem from the NVR machine itself.

With all of this in mind, the company turned to other internet-connected devices to see if they have the same problem. In addition to the group of devices listed above, the company also saw that many units had additional weak points where a hacker wouldn’t need credentials at all to gain access to the device. For instance, one popular router has a “root” privileged user account while a common wireless hot spot doesn’t require a password for SSH connections.

As previously stated, the capability of this attack isn’t just internet-based. SSHowDowN Proxy could be used internally on a home or office network too.

“We managed to confirm and validate the feasibility of this severe abuse-case in our lab environment, and believe that malicious users are and will continue to actively exploiting this to penetrate private networks.”

So what are hackers actually doing with these devices? In the case of Akamai Technologies, they’re trying to break into customer accounts by way of a “credential stuffing” attack. They have gained access to username/password pairs and are automatically injecting the information via brute force at the account login page.

Although the report focuses on Akamai customers, the problem extends beyond the company’s user base. Akamai suggests that consumers change the default credentials of their internet-connected devices, and to make specific changes if the device offers direct file system access. Consumers are also suggested to disable SSH if the feature is not required.

Computing

These are the worst passwords of 2018. Is yours on this list?

Do you use a bad password that makes your online accounts easy to break into? SplashData has compiled a list of the top 100 worst passwords for 2018 and there are quite a few listings that were carryovers from prior lists.
Gaming

Want to share your Xbox One games? Here's how to do it

Sharing games on modern consoles is possible, but it takes a few steps. Here's how to start sharing games on your Xbox One console, so friends and family can easily access your library.
Computing

Fix those internet dead zones by turning an old router into a Wi-Fi repeater

Is there a Wi-Fi dead zone in your home or office? A Wi-Fi repeater can help. Don't buy a new one, though. Here is how to extend Wi-Fi range with another router you have lying around.
Computing

Is your PC slow? Here's how to restore Windows 10 to factory settings

Computers rarely work as well after they accumulate files and misconfigure settings. Thankfully, with this guide, you'll be able to restore your PC to its original state by learning how to factory reset Windows.
Computing

You’ll soon be able to scribble all over PDFs on your Chromebook

Chrome OS users may soon be able to doodle all over their PDF documents with the possible addition of a new feature in Chrome OS' PDF viewer. The annotation feature is expected to allow users to hand draw or write over their documents.
Virtual Reality

Oculus Rift vs. HTC Vive: Prices drop, but our favorite stays the same

The Oculus Rift and HTC Vive are the two big names in the virtual reality arena, but most people can only afford one. Our comparison tells you which is best when you pit the Oculus Rift vs. HTC Vive.
Computing

Canada’s winters inspired a startup to warm homes with cryptomining heat waste

Cryptomining may be the key to untold riches and the future of currency, but it’s also an environmental nightmare. Heatmine, thinks it has the answer, but it could mean bolting a mining rig onto every home and business in the country.
Computing

Microsoft’s Windows 95 throwback was just an ugly sweater giveaway

Microsoft's "softwear" announcement wasn't what we had hoped for. Thursday's announcement was not the new line of wearable tech or SkiFree monster sweater we wished for. But it did deliver the 90s nostalgia we wanted.
Home Theater

Confused about LED vs. LCD TVs? Here's everything you need to know

Our LED vs. LCD TV buying guide explains why these two common types of displays are fundamentally connected, how they differ, what to look for in buying an LED TV, and what's on the horizon for TVs.
Deals

The best MacBook deals for December 2018

If you’re in the market for a new Apple laptop, let us make your work a little easier: We hunted down the best up-to-date MacBook deals available online right now from various retailers.
Computing

How to connect AirPods to your MacBook

If you have new AirPods, you may be looking forward to pairing them with your MacBook. Our guide will show you exactly how to connect AirPods to MacBook, what to do if they are already paired with a device, and more.
Computing

Hitting ‘Check for updates’ in Windows 10 opts you into beta releases

Users who are careful about keeping their system updated should watch out -- Microsoft revealed this week that clicking the Check for updates button in Windows can opt you in to testing beta code.
Product Review

The Asus ZenBook 14 is a tiny notebook that gets lost in the crowd

The ZenBook 14 aims to be the smallest 14-inch notebook around, and it succeeds thanks to some tiny bezels. Performance and battery life are good, but the notebook lacks a standout feature other than size.
Computing

Secure your Excel documents with a password by following these quick steps

Excel documents are used by people and businesses all over the world. Given how often they contain sensitive information, it makes sense to keep them from the wrong eyes. Thankfully, it's easy to secure them with a password.