Brute Force SSH Attack

The Network: An energy cooperative with multiple datacenters and hundreds of servers.

The Expectation: The network design is thoughtfully done; servers that need to face externally are in a demilitarized zone (DMZ) and brand name next generation firewalls (NGFW) are configured with country blocks to limit which external IPs are allowed through. Accordingly, the “protection” steps are in place.

The Catch: The NGFW detects an attempt to probe vulnerabilities against an external facing webserver using myphpadmin. The scanner, known as ZmEu, has been around since 2012. That is typical of attacks, not particularly zero-day.

The Find: Brute force SSH attack attempt to guess password and thereby gain access to the underlying OS. This vulnerability has been known since November 2013. It exploits a weakness in OpenSSH 6.2 and 6.3 when built against an OpenSSL that supports AES-GCM as described here.

The Fix: Verify that OpenSSH on the target machine is properly updated. Schedule and examine results of vulnerability scans periodically. Ensure that patching is conducted purposefully.

The Lesson: More than 99.9% of successful attacks are against vulnerabilities that have been known for many months. The fundamentals are always worth paying attention to and will protect you against more than 90% of attempted attacks.