A critical security flaw, known as regression and cataloged under CVE-2024-6387, has been identified in OpenSSH, just a few days ago. This vulnerability allows an unauthenticated attacker to execute arbitrary code and potentially obtain root access on the compromised system. Despite the severity sounding akin to notorious vulnerabilities like WannaCry and Log4Shell, the practical risk of widespread exploitation is moderated by specific technical complexities.
This issue is a regression, a reintroduction of a previously fixed bug (CVE-2006-5051) due to recent changes in the codebase, hence the name “regreSSHion”. The complexity of the exploit and prerequisites, such as system-specific memory structure preparations, limited the practicality of a widespread attack. Until now.
True; while this vulnerability poses a theoretical risk, real-world exploitation is less likely due to the effort required to exploit it effectively. Systems protected against brute-force or DDoS attacks are less vulnerable. However, targeted attacks remain a possibility with attackers potentially using low-frequency attempts spread over various IPs to evade detection.
Our research team analyzed some of the findings, published by Raghav Rastogi (@raghav127001), has uniquely identified active exploitation of CVE-2024-6387 in the wild, marking a significant aspect of this security analysis. The initial vector of this attack originates from the IP address 108.174.58./28, which was reported to host a directory listing exploit tools and scripts for automating the exploitation of vulnerable SSH servers.
The uploaded samples to VirusTotal revealed significant insights:
VirusTotal Sample Analysis
Targeted Attack Profile:
Our analysis points to a highly targeted approach adopted by the attacker, focusing specifically on:
- Geographical Focus: Most of the servers located in China, indicating a possible geostrategic or sector-specific motive.
- Vulnerability Profile: Some of the targeted servers have active vulnerabilities, with a predominant focus on those running OpenSSH versions ranging from 6.4 to 8.2. Notably, the majority are using version 7.4, suggesting that this version may have specific weaknesses that are being exploited.
- Additional Vulnerabilities: These servers also have multiple other vulnerabilities, which implies that the attacker is not solely reliant on CVE-2024-6387 but is also prepared to exploit other weaknesses, potentially escalating the attack’s complexity and severity.
Based on Raghav Rastogi (@raghav127001) research, a total of 3907 IP addresses from the attacker’s open directory were scanned using the Shodan API. It was found that 352 IPs are vulnerable to regreSSHion CVE-2024-6387.
| CVE | Description | Impact |
| CVE-2023-51767 | Potential row hammer attacks for authentication bypass due to the non-resilient nature of the integer value of authenticated in mm_answer_authpassword. | Affects systems where attacker-victim co-location is possible, with attackers having user privileges. |
| CVE-2023-51385 | Command injection vulnerability due to the handling of shell metacharacters in user names or host names in ssh. | Particularly through untrusted Git repositories containing submodule names with shell metacharacters. |
| CVE-2023-48795 (Terrapin Attack) | Mismanagement in SSH transport protocol’s extension negotiations allows bypassing integrity checks, downgrading security features. | Affects a broad range of software including Dropbear, PuTTY, and multiple SSH libraries, potentially leading to unauthorized access or information leakage. |
| CVE-2023-38408 | Insecure search path in ssh-agent could lead to remote code execution if an attacker controls the forwarded agent. | Urgent updates required as it relates to an incomplete fix from a previous CVE (CVE-2016-10009). |
| CVE | Description | Impact |
| CVE-2023-44487 | Denial of Service (DoS) vulnerability in the HTTP/2 protocol due to how request cancellations reset streams. | Noted to have been exploited from August through October 2023. |
| CVE-2021-23017 | Memory corruption in nginx resolver potentially causing crashes from UDP packet forgeries. | Affects server stability and could lead to further impacts depending on the attacker’s capabilities. |
| CVE-2021-3618 (ALPACA Attack) | Attack leveraging TLS protocol confusion to redirect traffic between subdomains, compromising authentication processes. | Requires MITM position and access to traffic at the TCP/IP layer. |
Historical and Miscellaneous Vulnerabilities:
| CVE | Description | Impact |
| CVE-2019 Series CVE-2019-20372, CVE-2019-9516, CVE-2019-9513, CVE-2019-9511 | These vulnerabilities range from HTTP request smuggling in NGINX configurations to various forms of DoS attacks affecting HTTP/2 implementations. | Could lead to unauthorized information access, excessive resource consumption, and service disruptions |
Special Mention regreSSHion:
| CVE | Description | Impact |
| CVE-2024-6387 | A critical vulnerability in OpenSSH allowing unauthenticated attackers to execute arbitrary code and gain root privileges through specific conditions during SSH authentication attempts. | This vulnerability highlights a regression, reintroducing a previously resolved issue, emphasizing the importance of rigorous change management and continuous security testing. |
Attacker Profile and Motivations
The recent series of attacks spearheaded by the discovery of regreSSHion CVE-2024-6387 illustrate a sophisticated threat actor with possible motivations that intertwine geopolitical and financial incentives. Given the targeted nature of the attacks and the sophistication of the methodologies used, it is plausible that the attacker(s) aim to exploit vulnerabilities for research purposes, espionage, or monetary gain. The usage of known vulnerabilities within OpenSSH, coupled with the exploitation of specific CVEs, suggests a high level of technical acumen and a deep understanding of both software and network architecture.
The attacker’s choice of targets—primarily entities within China—raises questions about the objectives. Are these targets of opportunity or have they been specifically selected for their strategic importance? The deployment of specific exploits indicates a deliberate strategy to compromise systems known to be vulnerable, leveraging both known and zero-day vulnerabilities. This methodical approach underscores the calculated risks the attacker is willing to take to achieve their ends, hinting at possible state-sponsored activities or high-stakes corporate espionage. As the investigation continues, the layering of motives and the complexity of the attack vectors used will undoubtedly unravel further, providing deeper insights into one of the most concerning cybersecurity threats of the year.
Expanded Indicators of Compromise (IoC)
Domain and IP Address Analysis
- IoC Domain: botbot.ddosvps./cc
Related IP: 209.141.53./247
Context: This domain and its related IP address have been instrumental in command and control (C&C) operations of a botnet. Notably, this IP has historical ties to significant malware threats such as AgentTesla and Mirai Botnet, indicating a well-established threat actor.
Associated Threats and Past Activities
The IP address 209.141.53./247 has been involved in numerous cyber-attacks, showing a pattern of malicious activities that span various forms of cyber aggression, including data theft, system intrusion, and botnet activities:
- AgentTesla: Known for its capabilities in keylogging and credential theft, this malware’s linkage to the IP suggests sophisticated espionage or data exfiltration maneuvers.
- Mirai Botnet: The association with Mirai hints at the attacker’s ability to harness compromised IoT devices for large-scale Distributed Denial of Service (DDoS) attacks.
Such findings underscore the importance of swift and comprehensive response strategies, including but not limited to:
- Immediate isolation of traffic to and from the implicated domain.
- Enhanced monitoring of all systems potentially communicating with the identified C&C infrastructure.
- Deployment of advanced threat detection tools to uncover further anomalies related to this campaign.
- Collaborative efforts with cybersecurity communities to blacklist and mitigate the effects from the known malicious domain.
Conclusion
In summary, the discovery and exploitation of RegreSSHion CVE-2024-6387 highlight the critical need for proactive vulnerability management and advanced threat detection. Our research emphasizes the importance of continuous monitoring, swift remediation, and collaboration within the cybersecurity community to mitigate such sophisticated attacks and protect against evolving threats
*** This is a Security Bloggers Network syndicated blog from VERITI authored by Veriti Research. Read the original post at: https://veriti.ai/blog/regresshion-cve-2024-6387-a-targeted-exploit-in-the-wild/