There has been a hike in secure shell (SSH) scanning of Internet facing control systems, said ICS-CERT officials and they are issuing a warning for users to be aware.
Quite a few manufacturers have been seeing a large number of access attempts by remote attackers, ICS-CERT said. Systems that provide SSH command line access are common targets for “brute force” attacks.
ICS-CERT received a report from an electric utility experiencing unsuccessful brute force activity against their networks last week.
A brute force authentication attack attempts to obtain a user’s logon credentials by guessing usernames and passwords. Brute force login tools exist for most services that allow remote access.
Attackers can use brute force applications, such as password guessing tools and scripts, to automate username and password guessing. Those applications may use default password databases, dictionaries, or rainbow tables that contain commonly used passwords, or they may try all combinations of a character set to guess a password.
To find running SSH services on networks, attackers probe a large number of IPs on Port 22/TCP — the default SSH listening port. If a response from the probe of Port 22/TCP comes back, the attacker may initiate a brute force attack.
ICS-CERT recommended organizations monitor network logs for port scans as well as access attempts.
Hundreds or thousands of login attempts over a relatively short time period is an indicator of a brute force attack because systems running SSH normally do not receive high volumes of login attempts. However, indication of an attack does not necessarily mean the organization is the actual intended target. Scans often go against a wide range of IP addresses looking for any system meeting the attacker’s criteria.
Because high volume scans end up discovered fairly quickly, attackers may try to evade intrusion detection systems (IDS) by making only a few careful attempts, then waiting to try again later. Organizations should look carefully for these “quiet” attempts as possible precursors to more direct attacks.
While SSH relates to UNIX or Linux systems, quite a few types of devices provide SSH access by default, including control systems equipment. Control system devices often have SSH enabled by default.
ICS-CERT suggests critical infrastructure and key resource (CIKR) asset owners and operators to examine their control network configurations and establish a baseline configuration and traffic pattern.
They should also audit their control systems — whether or not they think their control systems are on the Internet — to discover and verify removal of any default user names and passwords, ICS-CERT said.
Control system owners and operators should take the following defensive measures to minimize the risk of exploitation of these vulnerabilities:
1. Minimize network exposure for all control system networks and devices. Control system devices should not directly face the Internet.
2. Locate control system networks and devices behind firewalls, and isolate them from the business network. Stay actively aware of what is on the network by performing periodic port scans (where and when possible).
3. If the user requires remote access, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
4. Remove, disable, or rename any default system accounts wherever possible.
5. Implement account lockout policies to reduce the risk from brute forcing attempts.
6. Implement policies requiring the use of strong passwords. Make password lengths long and combine letters, numbers, and special characters.
7. Monitor the creation of administrator level accounts by third-party vendors.
The following are some specific SSH mitigations:
• Configure SSH servers to use nonstandard ports. SSH normally listens on Port 22/TCP, but can be actually listen on any other unused TCP port (the TCP protocol offers 65,535 ports). Because many scanning tools only scan a limited (low) port range by default, selecting a nonstandard high port number can make the SSH less likely to undergo detection by those tools.
• Restrict access to SSH servers. Only allow access from specific hosts rather than allowing access from anywhere. If the SSH server supports public‐key authentication, consider using this as an option to static passwords.
• Use Intrusion Detection/Intrusion Prevention. An intrusion detection system (IDS) monitors networks for malicious activity or policy violations. IDS systems can aid in investigations of system breaches.
Intrusion prevention systems (IPS) incorporate IDS functionality but also include the ability to block an attack as it is happening, preventing harm to the control system network rather than simply announcing that an attack has occurred.
Organizations that detect suspicious activity should check their logs to see if any of the attempts were successful. If a user finds a successful login attempt from a brute force attack, follow-on steps should mean the organizations is implementing their cyber incident response plan. In addition, organizations should carefully adhere to computer forensic best practices to avoid destroying potential evidence.