How many times do end users think about the factory default settings of their Internet-connected devices? Perhaps we all should. The Akamai’s Threat Research team recently reported on a case where millions of Internet-connected (IoT) devices were being used as the source for web based credential stuffing campaigns. When we dug a little deeper, we found evidence that these IoT devices were being used as proxies to route malicious traffic due to some default configuration weaknesses in their operating systems.
While this has been reported before, the vulnerability has resurfaced with the increase of connected devices. Our team is currently working with the most prevalent device vendors on a proposed plan of mitigation. We would like to emphasize that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of Internet-connected devices, which is actively being exploited in mass scale attack campaigns against Akamai customers.
We observed SSHowDowN Proxy attacks from the following types of devices, and other devices types are likely vulnerable as well.
Vulnerable connected devices are being used for:
Once malicious users access the web administration console of these devices they can then compromise the device’s data and in some cases, take over the machine.
In this case, unauthorized SSH tunnels were created and used, despite the fact that the IoT devices were supposedly hardened and do not allow the default web interface user to SSH into the device and execute commands. Due to this, we feel compelled to reiterate the warning.
Recently, Akamai’s Threat Research Team, and other multiple security vendors and research teams, reported on a trend where IoT devices are being exploited in order to mount attacks against third party victims. These devices were leveraged to conduct a mass-scale HTTP-based credential stuffing campaigns against customers.
We would like to emphasize that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of IoT devices. In fact, several articles were previously released, all touching similar topics. For example:
After analyzing large data sets from Akamai’s Cloud Security Intelligence platform, we discovered several common features, which led us to believe that the IoT devices were being used as proxies to route malicious traffic against victim sites.
In order to prove our hypothesis, we acquired and installed identical devices that were used in the attacks, in a connected threat research lab, and decided to work to uncover the root cause and techniques used by the attackers, in order to find out how we can better protect ourselves, our customers and all IoT device users.