Hackers use SSH to control connected devices for brute-force attacks

Content delivery network service provider Akamai Technologies released a new report on Wednesday (PDF) stating that hackers are taking advantage of a 12-year-old vulnerability in OpenSSH to gain control of internet-connected devices for mass-scale attack campaigns. The company dubs these attacks as “SSHowDowN Proxy,” which for now seem focused on using video surveillance devices, satellite antenna equipment, network devices, and internet-connected network-attached storage units.

According to the company, these compromised devices are used as proxies to attack a number of internet-based targets and “internet-facing” services, as well as the internal networks that host them. Hackers are actually gaining control of the devices by accessing their low-level command line console that still relies on the factory-shipped default login credentials provided by the vendor.

SSH stands for Secure Shell, and is a cryptographic network protocol that provides a secure channel, enabling services like remotely accessing a desktop residing on a home network from a public Wi-Fi access point. This protects data like usernames and passwords as the information travels across the internet. But this protocol isn’t completely secure, and Edward Snowden even indicated that the NSA could decrypt some SSH traffic.

Akamai began its investigation after it noticed active malicious HTTP/HTTPS traffic stemming from a third-party Network Video Recorder device targeting customer accounts. After determining that there were no unauthorized users accessing its network, the company then listed the device’s live network connections and their associated process IDs. The results showed that someone was running SSH connections using the default “admin” credentials provided by the manufacturer.

The thing is, the admin/admin credentials, by default, only allows web-based access to the machine, and does not provide SSH-level access. Whoever accessed the NVR machine took advantage of several SSH options to get past the default credential restriction. After that, the hacker set up the device as a proxy server, which establishes a TCP connection to a legitimate server from a remote client. Thus, any attack on a network would appear to stem from the NVR machine itself.

With all of this in mind, the company turned to other internet-connected devices to see if they have the same problem. In addition to the group of devices listed above, the company also saw that many units had additional weak points where a hacker wouldn’t need credentials at all to gain access to the device. For instance, one popular router has a “root” privileged user account while a common wireless hot spot doesn’t require a password for SSH connections.

As previously stated, the capability of this attack isn’t just internet-based. SSHowDowN Proxy could be used internally on a home or office network too.

“We managed to confirm and validate the feasibility of this severe abuse-case in our lab environment, and believe that malicious users are and will continue to actively exploiting this to penetrate private networks.”

So what are hackers actually doing with these devices? In the case of Akamai Technologies, they’re trying to break into customer accounts by way of a “credential stuffing” attack. They have gained access to username/password pairs and are automatically injecting the information via brute force at the account login page.

Although the report focuses on Akamai customers, the problem extends beyond the company’s user base. Akamai suggests that consumers change the default credentials of their internet-connected devices, and to make specific changes if the device offers direct file system access. Consumers are also suggested to disable SSH if the feature is not required.