In my previous article “The Infamous Mirai DDoS Malware Source Code is Released” I discussed how hackers are able to manipulate IoT (Internet of Things) based devices.
Going back around 12 years, a vulnerability in the IoT was discovered by the National Cyber Awareness System. This IoT device vulnerability is known as the “CVE-2004-1653.” This allowed a hacker to anonymously port bounce, while configured to special programs like what we can see when using AnonCVS.
Using this 12-year-old vulnerability, hackers are now able to turn the IoT devices into IoUTs (Internet of Unpatchable Things). This is then altered into proxies to carry out malicious traffic. With this guidance system, the hacker can then attack several hundred thousand IoT devices, as well as internal networks hosting this device. This ultimately creates a multi-million device cyber-attack(s) within mere minutes, rather than days.
Unlike the Mirai botnet cyber-attacks in the past, the new cyber-attack, now dubbed as the SSHownDowN Proxy, will specifically make use of IoT-based devices, including:
- Internet connected Network Attached Storage (NAS) devices;
- CCTV, NVR, & DVR devices;
- Satellite antenna equipment;
- Networking devices (Routers, WiMax, HotSpots, Cable, & ADSL modems);
- Plus other IoT-based devices.
The SSHownDowN exploit utilizes a decade old default configuration fault, CVE-2004-1653, that had been patched in the early months of 2015. This fault allows a user to enable the TCP forwarding, and then port bounce whenever a proxy is in use.
Cyber company, Akamai, has analyzed IP addresses from their Cloud Security Intelligence platform. After conducting their analysis, the team estimates that just over 2 million IoT, and other networking devices, are already exploited, in the event of a massive SSHownDowN cyber-attack.
Once the hackers gain access to the web admin console of vulnerable IoT devices, they can then utilize these devices and mount them directly into a cyber-attack – then mount those attacks against respective internal network(s) in which hosts these different IoT devices.
It is reported that once the hackers gain full admin control over these devices, the hackers are then able to gain full control over the respective machine in question.
If you own several IoT-based devices in your home – or work environment – it is suggested that you immediately change the default factory credentials. If you have only purchased your first set of IoT devices, you may want to change them before setting them up for use. I also recommend disabling the SSH service on your IoT devices – especially if SSH isn’t required for connection purposes.
For the more tech-savvy individuals, establish inbound firewall rules. This will help to prevent the SSH access that comes and goes from external devices.
For those on the ethical side of hacking, a company is challenging you! MITRE has set the challenge to create a new and unique identification method to identify IoT-based devices. Your reward, outside of the likely plausibility of being in an article on a few major sites, you will receive up to $50,000 for your innovation.
Sources: AnonHQ (Mirai DDoS Malware), National Cyber Awareness System, NCAS (CVE-2004-1653), OpenBSD (Anonymous CVS), MITRE.
This article (2-Million IoT Devices are Exposed Due to a 12-Year-Old SSH Bug) is a free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and AnonHQ.