SSH

SSH serves as a guarantee of secure transmission in an unprotected environment of any other network protocol, thanks to which it is possible to remotely work on a computer through a command shell, as well as transmit video or audio stream over an encrypted channel.

Currently, there are several versions of the SSH protocol that differ from each other in general operating schemes and encryption algorithms. The most popular now is SSH version two. Smaller versions of the protocol are unsafe by modern standards, as they have several very dangerous gaps.

2025: FSTEC warned of a critical vulnerability in the framework developed by Ericsson. The equipment of telecom operators and banks is under threat

FSTEC in the twentieth of April announced the discovery of a critical vulnerability BDU:2025-04706^[1]which allows executing extraneous code in the Erlang/OTP server without interacting with users and administrators. The vulnerability was rated 10 out of 10 by CVSS, and an exploit already exists for it. Fixes have already been released by the community - versions 27.3.3, 26.2.5.11 and 25.3.2.20 are safe. FSTEC experts strongly recommend installing these versions, since the likelihood of exploiting this vulnerability is very high.

The Erlang/OTP (Open Telecom Platform) is a software framework containing a set of libraries and design templates for building scalable distributed applications in the Erlang programming language. The framework was created at Ericsson as part of the AXD series ATM router project and was released in 1996. The Erlang/OTP SSH service is part of this platform, according to the idea, it should provide secure access and control of remote systems.

𝓲

Фото: Freepik

Although Erlang/OTP SSH is designed for reliable authentication of remote users, however, as shown by^[2] of a study by four security experts at the University of Ruhr in Bochum, in fact, vulnerable versions of Erlang/OTP may not check the authentication stage and immediately execute the "payload" it has been subscribed to. This is exactly what allows attackers to execute malicious codes in the server context using a sequence of four client SSH packets that are sent to the vulnerable component after a TCP connection is established. An exploit for such an attack has been published on the Internet.

𝓲

Фото: 4Rays

According to the standard, the channel for executing commands by the SSH client opens after authentication, otherwise the message will be rejected or lead to a disconnect, Solar 4Rays experts wrote in their Telegram channel. - But vulnerable Erlang/OTP versions may not check the authentication stage and process CHANNEL OPEN and exec immediately. This leads to the fact that to execute commands on the server, attackers need to have network access to it.

Thus, if a company uses an Erlang/OTP-based solution, then a massive attack can be carried out against it.

This tool is widespread in Russia, - said TAdviser Kirill Levkin, project manager of MD Audit. - It is mainly used in telecom operator equipment, banks, in some industrial systems and, of course, in the well-known RabbitMQ message broker. Based on the information available to us, we can conclude that this vulnerability can be used to organize mass attacks. We know that the BDU:2025-04706 vulnerability has a fairly low operational complexity, and there are publicly available exploits on the network. This may mean that there is a real risk of exploiting the vulnerability.

And since the corresponding library can be built into the equipment, updating it to safe versions (indicated at the very beginning) requires the intervention of the equipment manufacturer. This makes it difficult to quickly correct detected errors, especially in the context of sanctions. Therefore, companies that operate Erlang/OTP will have to use compensatory measures for now.

A vulnerability in such a tool can be exploited for mass attacks, especially on network equipment that is rarely inspected, "warned TAdviser readers Maxim Alexandrov, an expert on Security Code software products. - For example, routers and IP cameras. These devices that have access to the Internet are more vulnerable than the personal devices of users. If possible, it is recommended to isolate devices from full Internet access. This can be done by network segmentation and restricting access only from a specific list of trusted addresses.

The expert also recommends changing the default settings to custom to protect networks. For example, using non-standard network ports for SSH can significantly reduce the likelihood of automated attacks targeting standard ports.

The Erlang/OTP platform was originally developed by Ericsson for telecommunications equipment and is mainly used in the telecom segment, "Daniil Chernov, author of the Solar appScreen product, reminded TAdviser readers. - In some countries, it is still used, for example, in cloud microservice architects for fintech companies. But in Russia, as our practice of auditing software products and development processes shows, this protocol has not taken root.

2024: New zombie network discovered. Under threat of infection 700 thousand. IoT devices and Linux servers in Russia

Akamai researcher Steve Kupchik published a report^[3] about his version of the Mirai zombie network, which he called NoaBot. The new version is distinguished from the original malware, the source code of which was published in 2016 by the distribution using the secure remote control protocol SSH and the built-in cryptominer XMRig, which may use its own mining pool. Timestamps discovered by the researcher in the worm code date its development to January 2023.

NeoBot activity during the past year (Akamai data)

NoaBot, like Mirai, is a zombie worm that targets infecting IoT devices based on, Linux such as home, routers video cameras servers , and Linux based with a remote SSH connection enabled and a weak password for it. It uses a dictionary password matching attack to spread. However, Mirai's source code was collected by another compiler other than GCC, so antivirus tools do not define it as Mirai. Moreover, now a vulnerability has been discovered in the SSH implementation, which even received its own name - Terrapin^[4]. It allows, by manipulating the sequence of packets, to force the SSH server or client to lower the encryption level and even disable its protection against attacks.

Moreover, according to Shadowserver statistics^[5]The^[6], in Russia, up to 700 thousand devices are found that may be susceptible to this attack. This is the fourth place in the world in terms of distribution of this application - only the United States (3.3 million), China (1.3 million) and Germany (1 million) are ahead in terms of the number of installations. Fortunately, until support for Terrapin is implemented in NoaBot, however, if this happens, the number of infections of this malware will greatly increase. In the meantime, its distribution is only 800 cases discovered by Akamai.

Statistics of vulnerable SSH servers in Russia (Shadowserver data)

Another feature of NoaBot is that it hides very well. In particular, even in the built-in miner XMRig, neither the address of the cryptocurrency recipient nor the mining pool are indicated. Steve Kupchik believes that the malware developer has implemented its own pool, which greatly complicates the investigation of the incident. Since now, by all indications, crypto-zyme is over, it is highly likely that developers of such crypto-miners will be activated.

To protect against such zombie worms, it is recommended not to leave default passwords on Linux devices and make them quite complex. In addition, you need to install updates for devices and, if possible, monitor their behavior using firewalls.

2017: Criminals massively scan sites for closed SSH keys

Cybercriminals massively scan WordPress websites for directories containing closed SSH keys in order to hack them with accidentally compromised credentials^[7].

SSH authentication can be carried out both according to the classic model (using a login and password) and using keys. In the second case, the administrator generates a key pair (private and public keys). The private key is placed on the server to be authenticated. In turn, the user saves it in the local SSH configuration file.

On October 17-18, experts from the American information security company Wordfence recorded^[8] an unexpected surge in site scans for folders with specific names. Judging by the names of the folders, those who scanned were interested in closed SSH keys. In particular, they searched for directories mentioning "root," "ssh" or "id_rsa".

According to Wordfence founder Mark Maunder, this may indicate that cybercriminals have made progress in finding private keys and increased activity. There is probably a vulnerability, or owners of WordPress sites make an operating error that makes private SSH keys available to third parties.

Links

SSH Protocol Description

Notes