New Terrapin Flaw Could Let Attackers Downgrade SSH Protocol Security
Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that could allow an attacker to downgrade the connection’s security by breaking the integrity of the secure channel.
Called Terrapin (CVE-2023-48795, CVSS score: 5.9), the exploit has been described as the « first ever practically exploitable prefix truncation attack. »
« In a real-world scenario, an attacker could exploit this vulnerability to intercept sensitive data or gain control over critical systems using administrator privileged access, » Qualys said. « This risk is particularly acute for organizations with large, interconnected networks that provide access to privileged data. »
The flaw impacts many SSH client and server implementations, such as OpenSSH, Paramiko, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, and Dropbear, prompting the maintainers to release patches to mitigate potential risks.
According to the Shadowserver Foundation, nearly 11 million internet-exposed SSH servers are vulnerable to the Terrapin attack.
Analysis from our SOC team
The attack needs a Man-In-The-Middle, meaning an attacker having access to the client or server local network (ex: a client connecting to a rogue WiFi on a public place is sufficient). If a server can only be accessed from within the company network or a VPN, the attack can only be performed by an insider.
Here are some solutions to protect your SSH servers:
1- Upgrade your clients and servers to support « strict key exchange ».
2- Disable all weak algorithms on your server. With that in place, even if the Terrapin attack succeeds, it won’t be able to downgrade your security.
3- Enforce strong passwords. With that in place, even if the Terrapin attack succeeds, it won’t be able to find them. Enforcing key authentication also blocks this exploitation.
4- The Terrapin attack is only possible with some algorithms: ChaCha20-Poly1305 and CBC-Encrypt-then-MAC.As these algorithms are not the best ones, you should disable them and only keep the strongest ones: aes256-gcm & hmac-sha2-512.
5- Remote SSH should be forbidden from the Internet. By enforcing a VPN connection before reaching your server you block all attacks from the outside world; only an insider could perform the attack.
A detailed analysis on this attack will be soon published on our Approach SOC blog. Stay tuned !
Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named « MultiLogin » to restore expired authentication cookies and log into users’ accounts, even if an account’s password was reset.
In late November 2023, BleepingComputer reported on two information-stealers, namely Lumma and Rhadamanthys, who claimed they could restore expired Google authentication cookies stolen in attacks.
These cookies would allow the cybercriminals to gain unauthorized access to Google accounts even after the legitimate owners have logged out, reset their passwords, or their session has expired.
Analysis from our SOC team
By restoring expired authentication cookies, attackers can access Google accounts even after users reset passwords or log out. This underscores the critical need for enhanced security measures on both the users’s end and on Google’s to secure the undocumented OAuth endpoint to prevent further abuse.
Continuous monitoring for unusual activities, multi-factor authentication adoption (event better, phishing-resistant authentication), and user awareness are vital to mitigate risks associated with such persistent threats.
Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices.
The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down.
« These packages, upon initial use, deploy a CoinMiner executable on Linux devices, » Fortinet FortiGuard Labs researcher Gabby Xiong said, adding the campaign shares overlaps with a prior campaign that involved the use of a package called culturestreak to deploy a crypto miner.
Analysis from our SOC team
Despite being taken down, the incident underscores the need for strict package verification and user awareness.
Organisations should remain vigilant, review package documentation, source code and dependencies, and implement security measures to detect and prevent such malicious packages from entering their systems.
AXA Belgium warns of messages that pretend you are a beneficiary of the life insurance of a recently deceased person. These messages do not originate from AXA Belgium but from fraudsters.
The message asks you to provide additional documents and information. Do not do this! This information can be misused for identity fraud.
The messages come from e-mail addresses that look like AXA addresses but are not. For example axa.avie@gmail.com, contact@aixavie.com and other variants. They often carry some kind of reference number: AVL-245510216. The message is sometimes accompanied by an official-looking document.
Analysis from our SOC team
Recipients are urged not to share additional documents or information, as it may lead to identity fraud.
Have you received such a message?
– Do not forward details.
– Forward the email to suspicious@safeonweb.be.
– Delete the suspicious message.
