The Nitty-Gritty#

According to Bharat Jogi from Qualys, this is a signal handler race condition. In layman’s terms, it’s like trying to catch a greased pig in a dark room—messy, unpredictable, and likely to end in disaster. If a client doesn’t authenticate within 120 seconds, sshd’s SIGALRM handler steps in asynchronously and, well, all hell can break loose.

The cyber boffins at Qualys identified around 14 million vulnerable OpenSSH server instances online. The vulnerability affects versions from 8.5p1 to 9.7p1, with older versions also at risk if they weren’t patched for CVE-2006-5051 and CVE-2008-4109. The good news? OpenBSD users can breathe easy; their systems are immune thanks to built-in security mechanisms.

Real-World Impact and Exploitation#

If successfully exploited, CVE-2024-6387 can lead to full system compromise—think arbitrary code execution, security mechanism bypasses, data theft, and persistent access for the attackers. It’s the cyber equivalent of leaving your front door wide open with a neon sign saying “Welcome, Hackers!”

However, pulling off this attack isn’t a walk in the park. It requires an attacker to know the specific Linux distribution they’re targeting, takes an average of 6-8 hours to execute, and needs up to 10,000 authentication attempts. It’s like running a marathon while solving a Rubik’s cube—doable, but challenging.

What to Do?#

The wise move here is to patch up your systems ASAP. Apply the latest updates to shield against this pesky flaw. On top of that, tighten your SSH access controls and enforce network segmentation to keep unauthorized users at bay.

Cybersecurity firms, including Palo Alto Networks and Kaspersky, suggest that while this bug is dangerous, it’s unlikely to be exploited on a mass scale due to its complexity and the effort required. But that doesn’t mean you should be complacent. Stay vigilant, keep your systems updated, and always follow best security practices.

The Bigger Picture#

This incident is a stark reminder of why regression testing is crucial in software development. A flaw once fixed can reappear if changes or updates inadvertently reintroduce it. Omkhar Arasaratnam from OpenSSF emphasized the importance of secure development practices, especially for foundational open-source projects like OpenSSH.

In conclusion, “regreSSHion” serves as a lesson for all of us in the cybersecurity world: never underestimate the importance of thorough testing and vigilance in software maintenance. Stay secure, folks, and remember—always patch your systems before the ghosts of vulnerabilities past come back to haunt you!

Sources: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server https://nvd.nist.gov/vuln/detail/CVE-2006-5051 https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/ https://www.wiz.io/blog/cve-2024-6387-critical-rce-openssh

Anatomy of the Attack#

This 840 Mpps assault was no ordinary DDoS attack. It combined a TCP ACK flood originating from 5,000 source IPs and a DNS reflection attack leveraging approximately 15,000 DNS servers to amplify the traffic. While the attack was globally distributed, two-thirds of the total packets came from just four points of presence, all in the U.S., with three on the west coast. This strategic concentration of packet flow through a few peerings highlights the adversaries’ capability to send a massive packet rate, posing significant challenges for network defenses.

Escalation in DDoS Activity#

OVHcloud has reported a notable surge in both the frequency and intensity of DDoS attacks since 2023. Attacks surpassing 1 terabit per second (Tbps) have transitioned from being rare to a nearly daily occurrence. Sebastien Meriot of OVHcloud noted that in the past 18 months, the firm has observed 1+ Tbps attacks becoming almost routine, with the peak bit rate hitting approximately 2.5 Tbps.

The Mechanics of Packet Rate Attacks#

Unlike typical DDoS attacks that flood targets with junk traffic to exhaust bandwidth, packet rate attacks focus on overwhelming the packet processing engines of networking devices near the destination, such as load balancers. OVHcloud’s data indicates a sharp rise in DDoS attacks with packet rates exceeding 100 Mpps, many of which originate from compromised MikroTik Cloud Core Router (CCR) devices.

The MikroTik Router Menace#

MikroTik routers, notorious for running outdated operating systems susceptible to security vulnerabilities, have become a favorite for attackers. An estimated 99,382 MikroTik routers are accessible over the internet, exposing administrative interfaces and outdated RouterOS versions. Attackers are believed to exploit the Bandwidth Test feature of these routers to launch DDoS attacks.

Even a small fraction of these exposed devices could form a potent botnet capable of launching layer 7 attacks with packet rates reaching 2.28 billion packets per second (Gpps). MikroTik routers have previously been used to create powerful botnets like Mēris and for botnet-as-a-service operations.

Implications for Cyber Defense#

Sebastien Meriot warned that the ability of botnets to generate billions of packets per second could usher in a new era of packet rate attacks. This would pose a serious challenge to existing anti-DDoS infrastructures, necessitating innovative approaches to building and scaling defenses.

Conclusion#

As cyber attackers continue to evolve and escalate their methods, the record-breaking DDoS attack mitigated by OVHcloud underscores the critical need for robust cybersecurity measures. Organizations must remain vigilant, regularly update their systems, and employ advanced anti-DDoS solutions to defend against these increasingly sophisticated threats. And remember, in the wild world of cybersecurity, it’s not just about the size of the attack but the cleverness of the defenses!

Sources: https://www.akamai.com/blog/news/largest-ever-recorded-packet-per-secondbased-ddos-attack-mitigated-by-akamai https://blog.ovhcloud.com/the-rise-of-packet-rate-attacks-when-core-routers-turn-evil/

Exposed Credentials: A Growing Concern#

A recent report by threat intelligence firm Cyberint revealed that over 15,000 credentials belonging to Union of European Football Associations (UEFA) customers have been exposed on underground forums. These credentials, identified through the uefa.com domain in the URLs connected with usernames and passwords, are now circulating among cybercriminals. Additionally, another 2,000 credentials are up for sale on the Dark Web.

While most of these credentials belong to consumers, many users often sign up for services using their work email addresses. This practice can provide cyberattackers with a potential entry point for future attacks. Darja Feldman, Cyberint’s threat intelligence team lead, emphasizes the need for employees to avoid using corporate credentials for non-business services and to steer clear of password reuse.

Cyberattacks on Sporting Events: A Persistent Threat#

Major sporting events have historically been attractive targets for cybercriminals. For instance, during the 2018 Winter Olympics, destructive cyberattacks initially appeared to be from North Korea’s Lazarus group but were later attributed to Russia-linked Fancy Bear, which conducted a false-flag operation. Similarly, cyberattacks have targeted Twitter accounts of NFL teams, and China-linked threat actors aimed to disrupt the 2022 World Cup in Qatar. With the upcoming Summer Olympics in Paris, cybersecurity experts warn of potential cyber threats.

DDoS Attacks at Euro 2024#

Euro 2024 has already experienced cyberattacks beyond credential theft. Suspected Russia-linked hackers launched a distributed denial-of-service (DDoS) attack during Poland’s Group D opener against Estonia. Poland’s deputy minister of digital affairs, Pawel Olszewski, attributed the attack to the Russian Federation, which has been barred from the tournament.

DDoS attacks are particularly disruptive for live sporting events. Cybersecurity firm Radware highlighted in a June 10 advisory that such attacks frequently disrupt e-sports tournaments, such as those for the popular game League of Legends. Radware expects Euro 2024 and similar events to face more DDoS attacks in the future due to their high value for cybercriminals and nation-state actors.

Increasing Cyber Threats in Europe#

In the first quarter of 2024, Europe witnessed twice as many cyberattacks compared to the last quarter of 2023. Juhan Lepassaar, head of the European Union Agency for Cybersecurity (ENISA), pointed to Russian cyber operations and hackers as the primary cause. He highlighted the ongoing digital threats stemming from the Russian war of aggression, which extends beyond Ukraine to target Europe.

Looking Ahead: Paris Olympics 2024#

As Euro 2024 concludes, attention is shifting to the 2024 Summer Olympics in Paris. Cyberint’s Feldman anticipates that state-sponsored threat actors will target the Olympics with similar tactics used against UEFA, including credential theft, ticket fraud, and phishing scams. The International Olympic Committee has ruled that Russian and Belarusan athletes can compete in the Olympics as neutral participants, but whether this will reduce cyberattacks from hacktivists and nation-state actors remains uncertain.

Conclusion#

The surge in cybercriminal activity around Euro 2024 serves as a stark reminder of the importance of digital security during major sporting events. Fans and organizations alike must remain vigilant, enforce strong security practices, and be prepared for potential cyber threats. As we look forward to the Paris Olympics, the cybersecurity community must stay alert to protect against the evolving landscape of cyber threats.