They’re like buses, nothing for ages and then…too many all at once! We’ve just seen another big hitter of a Zero-day surfacing, with over 14 million potentially-vulnerable devices currently adrift on the internet.
What’s a Zero-day again?
Anyone who has read our previous blog on a zero-day attack (hopefully all of you) will already know that a zero-day attack is a cyberattack that leverages a previously unknown vulnerability. It gets its snappy name because there are ‘zero days’ to fix the flaw before it can be exploited by malicious actors – you have no time to act because you didn’t know.
These exploits are particularly dangerous because they’re often used before a patch (fix) or mitigation can be implemented, making them highly effective for attackers. It turns into a race for the good guys to secure their systems, before the bad guys (an attacker) finds your vulnerability and exploits it.
What’s happened this time now?
Curiously, this one is back for a second appearance. The new CVE (CVE-2024-6387) is called regreSSHion, so named by Qualys Threat Research Unit (who identified it) because they noticed that this vulnerability is a regression of the previously patched vulnerability. That’s right; it was previously identified, resolved, and then somehow was re-introduced without anyone noticing.
The exploit itself is in OpenSSH’s server, which is widely incorporated/run by many vendors to provide secured command line access for device management. This proliferation of use is why there are so many devices appearing on the internet which could be vulnerable.
Qualys stated that, of their customer base, they have over 700,000 internet-facing instances that are vulnerable. This accounts for 31% of internet-facing OpenSSH servers in the global customer base.
Oh dear. How do we fix this?
Thankfully for Criticalis’ clients, we are adept at worrying. We always restrict access (especially external access) as much as we can to known sources only. We do this, primarily, to prevent devices on the internet being constantly bombarded by people trying to access them.
But secondly, we do this so that when issues like this nasty zero-day occur, we don’t have a mad scramble to secure multiple systems. That may suggest we are now feeling smug – we’re not. It’s quite the contrary, in fact. This only feeds our worries.
Yes, we have a moment of relief that for this one exploitation at least, we’d had the forethought to see the potential risks and put mitigations in place with the expectation of such events occurring. But then this only intensifies the need to ruminate on what might happen, what might be out there that we haven’t considered, what the risks are and where the holes might be. Our endless, constant anxiety is one of the things that makes us good at our job (but not good at sleeping). We’re conscientious about cyber security, so our clients can be a little more relaxed.
For those who may be impacted by the 14 million potentially-vulnerable devices out there, we hope the owners have good counsel and the resource to lock them down as quickly as possible. We’d also recommend a bit of well-placed worry; the cyber threat landscape is varied and nasty. Preparation is always in your interests.
