Akamai warns that attackers are compromising IOT devices and using them as proxies to test stolen credentials against web-based applications.

Connected devices aren’t just for DDoS attacks anymore.

Researchers at Akamai this week exposed how attackers are using a 12-year-old SSH vulnerability in combination with weak or default credentials to compromise an array of IOT and home networking devices. Those connected things are then being used as proxies to test stolen credentials on third-party web-based applications.

The tactic is known as credential stuffing, which is similar to brute-force attacks in their automation and thirst for verifying the validity of the stolen passwords.

Akamai said it was made aware of the attacks when a number of its customers started reporting unusual activity in February; the leveraging of the faulty SSH configuration, which was addressed in 2004 (CVE-2004-1653), ramped up in September. The company estimates that at least two million IOT and networking devices have been compromised and are being used as proxies in these credential-stuffing attacks.

“They were trying to log in to one of our customers with usernames and passwords in brute-force attacks. To fly below the radar, they need to use different proxies, otherwise there would be thousands of requests from the same IP address, and that would be flagged,” said Ezra Caltum, senior security research team leader at Akamai. Caltum along with Akamai senior director of threat research Ory Segal published a threat advisory this week, and labeled the attacks SSHowDown Proxy.

“We found that attackers are abusing this old vulnerability to use IOT devices as proxies,” Caltum said. “The objective is finding valid credentials.”

Most of the victims are in the gaming, retail and hospitality industries, Akamai said, but it would not say how successful the attacks were, nor whether they were a starting point for a deeper network intrusion.

The SSH issue was fixed in 2004, but apparently many vendors of connected devices—CCTVs, network video recorders, DVRs, satellite antenna equipment, routers, cable modems, network attached storage devices, and more—are still shipping with the weak configurations in place.

Akamai’s forensic investigation included examining suspicious HTTP and HTTPS traffic coming from a network video recorder (NVR). There were no unauthorized users on the device, but a check of the process IDs showed that the SSH daemon (sshd) was being used in all of the active connections, and the default admin:admin login has been used to access the device.

The oddity was that the admin user was not permitted to connect over SSH, and should have been disconnected via the nologin hardening feature in place with SSH. Instead, the attacker was using SSH’s capability to act as a SOCKS proxy, specifically an option that allows for TCP forwarding (AllowTCPForwarding=True), which essentially allowed it to bypass nologin.

“The interesting part is that this is a 12-year-old vulnerability, an old CVE that we’ve seen documented in a lot of places,” Caltum said. “This is not new. And now in 2016, these IOT devices are still being abused and converted into proxies.”

The attackers most likely are testing the validity of the credentials they have in their possession in order to monetize them elsewhere. Akamai cautioned that while it’s only seen brute-force attacks against Internet-facing servers, attacks against the internal network are not out of the realm of possibility.

Akamai recommended several mitigations that include users changing default credentials, disabling the SSH service if possible, or adding AllowTCPForwarding No into SSHd_config. Users can also deploy firewall rules to prevent SSH access to IOT devices from outside a trusted IP space, and use outbound firewall rules for IOT devices at the network perimeter, preventing tunnels from connecting outbound. Vendors, meanwhile, are urged to avoid the practice of shipping devices with default credentials or undocumented accounts, and also disabling SSH or configure it to disallow TCP forwarding.

IOT devices, meanwhile, continue to be in the middle of volatile and sometimes high-profile attacks. Large botnets comprised mostly of IOT devices have been responsible for massive DDoS attacks against Krebs on Security and other targets. And almost in every case, the devices are accessible in an insecure configuration and are being abused to attack third parties.

“We are in for an Internet of unpatachable things,” Caltum said. “This is my personal opinion, but I’m terrified about it.”

Most of these devices not only ship with weak credentials, but many also lack a viable update mechanism.

“Vendors are shipping devices insecure by default, and afterwards it’s quite complex to find firmware updates,” Caltum said. “Think about all the devices you have at home. When was the last time you did a firmware update on every one of them?”