14 DAY TRIAL // Attackers are using IoT devices as proxies for malicious traffic by taking advantage of a configuration option in SSH daemons, which allows them to use a 12-year-old OpenSSH flaw to bounce traffic off IoT equipment.
The flaw is CVE-2004-1653, a security issue discovered in 2004 and patched in early 2005, caused by a default configuration that was shipping at the time in OpenSSH (sshd).
According to MITRE and security experts Jordan Sissel and Joey Hess, older versions of the OpenSSH client allowed TCP forwarding in default setups, which then allowed remote authenticated users to perform a port bounce.
The flaw was not severe since attackers needed SSH access to the device, but after an attacker brute-forced his way into systems using unsecured SSH credentials, he could monetize those machines as part of for-hire proxy services sold online.
Bug resurrected for IoT botnets
While OpenSSH hasn't featured that default configuration option for years, OpenSSH has been embedded in billions of IoT devices spread all over the world.
As we know by now, most of these devices are the victims of Telnet and SSH brute-force attacks on a regular basis and are being added to DDoS botnets every day.
Because IoT devices lack the hardware capabilities to support complex operations, the only good things an IoT botnet can be used for is to launch other brute-force attacks, launch DDoS attacks, and relay malicious traffic.
IoT devices used as relays for other malicious traffic
According to a threat advisory released by Akamai today, the company's security team says it detected large amounts of malicious traffic originating from IoT devices.
A further investigation of the issue has revealed that crooks have been brute-forcing IoT devices, altering their SSH configurations by enabling the "AllowTcpForwarding" option, and then using these devices as proxies for all sorts of malicious traffic.
This allows attackers to mask the true origin of their attacks, may it be DDoS attacks, regular Web traffic, other brute-force attacks, or any other kind of Internet packet that can be relayed by the IoT device.
In order to prevent these attacks, which Akamai tracks under the SSHowDowN Proxy codename, the company recommends the following defensive measures.
