RegreSSHion CVE-2024-6387: A Targeted Exploit in the Wild  

by | Jul 3, 2024

A critical security flaw, known as regression and cataloged under CVE-2024-6387, has been identified in OpenSSH, just a few days ago. This vulnerability allows an unauthenticated attacker to execute arbitrary code and potentially obtain root access on the compromised system. Despite the severity sounding akin to notorious vulnerabilities like WannaCry and Log4Shell, the practical risk of widespread exploitation is moderated by specific technical complexities.

This issue is a regression, a reintroduction of a previously fixed bug (CVE-2006-5051) due to recent changes in the codebase, hence the name “regreSSHion”. The complexity of the exploit and prerequisites, such as system-specific memory structure preparations, limited the practicality of a widespread attack. Until now.

True; while this vulnerability poses a theoretical risk, real-world exploitation is less likely due to the effort required to exploit it effectively. Systems protected against brute-force or DDoS attacks are less vulnerable. However, targeted attacks remain a possibility with attackers potentially using low-frequency attempts spread over various IPs to evade detection.

Our research team analyzed some of the findings, published by Raghav Rastogi (@raghav127001), has uniquely identified active exploitation of CVE-2024-6387 in the wild, marking a significant aspect of this security analysis. The initial vector of this attack originates from the IP address 108.174.58./28, which was reported to host a directory listing exploit tools and scripts for automating the exploitation of vulnerable SSH servers.  

Figure 1: Example script 
Figure 2: directory of exploits. 

The uploaded samples to VirusTotal revealed significant insights: 
VirusTotal Sample Analysis 

Targeted Attack Profile:

 Our analysis points to a highly targeted approach adopted by the attacker, focusing specifically on: 

  • Geographical Focus: Most of the servers located in China, indicating a possible geostrategic or sector-specific motive. 
  • Vulnerability Profile: Some of the targeted servers have active vulnerabilities, with a predominant focus on those running OpenSSH versions ranging from 6.4 to 8.2. Notably, the majority are using version 7.4, suggesting that this version may have specific weaknesses that are being exploited. 
  • Additional Vulnerabilities: These servers also have multiple other vulnerabilities, which implies that the attacker is not solely reliant on CVE-2024-6387 but is also prepared to exploit other weaknesses, potentially escalating the attack’s complexity and severity. 

Based on Raghav Rastogi (@raghav127001) research, a total of 3907 IP addresses from the attacker’s open directory were scanned using the Shodan API. It was found that 352 IPs are vulnerable to regreSSHion CVE-2024-6387. 

CVEDescriptionImpact
CVE-2023-51767  Potential row hammer attacks for authentication bypass due to the non-resilient nature of the integer value of authenticated in mm_answer_authpassword. Affects systems where attacker-victim co-location is possible, with attackers having user privileges.
CVE-2023-51385  Command injection vulnerability due to the handling of shell metacharacters in user names or host names in ssh. Particularly through untrusted Git repositories containing submodule names with shell metacharacters. 
CVE-2023-48795 (Terrapin Attack)  Mismanagement in SSH transport protocol’s extension negotiations allows bypassing integrity checks, downgrading security features.  Affects a broad range of software including Dropbear, PuTTY, and multiple SSH libraries, potentially leading to unauthorized access or information leakage.  
CVE-2023-38408  Insecure search path in ssh-agent could lead to remote code execution if an attacker controls the forwarded agent. Urgent updates required as it relates to an incomplete fix from a previous CVE (CVE-2016-10009). 
CVEDescriptionImpact
CVE-2023-44487   Denial of Service (DoS) vulnerability in the HTTP/2 protocol due to how request cancellations reset streams. Noted to have been exploited from August through October 2023.  
CVE-2021-23017  Memory corruption in nginx resolver potentially causing crashes from UDP packet forgeries. Affects server stability and could lead to further impacts depending on the attacker’s capabilities. 
CVE-2021-3618 (ALPACA Attack)  Attack leveraging TLS protocol confusion to redirect traffic between subdomains, compromising authentication processes. Requires MITM position and access to traffic at the TCP/IP layer.

Historical and Miscellaneous Vulnerabilities: 

CVEDescriptionImpact
CVE-2019 Series CVE-2019-20372, CVE-2019-9516, CVE-2019-9513, CVE-2019-9511  These vulnerabilities range from HTTP request smuggling in NGINX configurations to various forms of DoS attacks affecting HTTP/2 implementations. Could lead to unauthorized information access, excessive resource consumption, and service disruptions

Special Mention regreSSHion: 

CVEDescriptionImpact
CVE-2024-6387 A critical vulnerability in OpenSSH allowing unauthenticated attackers to execute arbitrary code and gain root privileges through specific conditions during SSH authentication attempts.This vulnerability highlights a regression, reintroducing a previously resolved issue, emphasizing the importance of rigorous change management and continuous security testing.

Attacker Profile and Motivations

The recent series of attacks spearheaded by the discovery of regreSSHion CVE-2024-6387 illustrate a sophisticated threat actor with possible motivations that intertwine geopolitical and financial incentives. Given the targeted nature of the attacks and the sophistication of the methodologies used, it is plausible that the attacker(s) aim to exploit vulnerabilities for research purposes, espionage, or monetary gain. The usage of known vulnerabilities within OpenSSH, coupled with the exploitation of specific CVEs, suggests a high level of technical acumen and a deep understanding of both software and network architecture.

The attacker’s choice of targets—primarily entities within China—raises questions about the objectives. Are these targets of opportunity or have they been specifically selected for their strategic importance? The deployment of specific exploits indicates a deliberate strategy to compromise systems known to be vulnerable, leveraging both known and zero-day vulnerabilities. This methodical approach underscores the calculated risks the attacker is willing to take to achieve their ends, hinting at possible state-sponsored activities or high-stakes corporate espionage. As the investigation continues, the layering of motives and the complexity of the attack vectors used will undoubtedly unravel further, providing deeper insights into one of the most concerning cybersecurity threats of the year. 

Expanded Indicators of Compromise (IoC) 

Domain and IP Address Analysis 

  • IoC Domain: botbot.ddosvps./cc
    Related IP: 209.141.53./247
    Context: This domain and its related IP address have been instrumental in command and control (C&C) operations of a botnet. Notably, this IP has historical ties to significant malware threats such as AgentTesla and Mirai Botnet, indicating a well-established threat actor.   

Associated Threats and Past Activities 

The IP address 209.141.53./247 has been involved in numerous cyber-attacks, showing a pattern of malicious activities that span various forms of cyber aggression, including data theft, system intrusion, and botnet activities: 

  • AgentTesla: Known for its capabilities in keylogging and credential theft, this malware’s linkage to the IP suggests sophisticated espionage or data exfiltration maneuvers. 
  • Mirai Botnet: The association with Mirai hints at the attacker’s ability to harness compromised IoT devices for large-scale Distributed Denial of Service (DDoS) attacks. 
Figure 4: Malicious Domain

Such findings underscore the importance of swift and comprehensive response strategies, including but not limited to: 

  • Immediate isolation of traffic to and from the implicated domain. 
  • Enhanced monitoring of all systems potentially communicating with the identified C&C infrastructure. 
  • Deployment of advanced threat detection tools to uncover further anomalies related to this campaign. 
  • Collaborative efforts with cybersecurity communities to blacklist and mitigate the effects from the known malicious domain. 

Conclusion

In summary, the discovery and exploitation of RegreSSHion CVE-2024-6387 highlight the critical need for proactive vulnerability management and advanced threat detection. Our research emphasizes the importance of continuous monitoring, swift remediation, and collaboration within the cybersecurity community to mitigate such sophisticated attacks and protect against evolving threats

Get your security controls assessment now


Recommended Articles

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.

Product

Product Overview

Maximize security posture while ensuring business uptime

Odin

AI-Powered Contextual Cybersearch

Automated Security Controls Assessment

Validate your security control

Integrations

Connect Veriti with your security solutions

THE STATE OF ENTERPRISE SECURITY CONTROLS

Prioritize Remediation based on business impact

Read the Report >>

Use Cases

Agentless OS-Level Remediation

Proactively safeguard your systems directly at the OS-Level on the endpoint

Vulnerability Remediation

Safely remediate vulnerabilities in one click

Business Continuity

Reduce alert fatigue. Increase Security Effectiveness

MISCONFIGURATION MANAGEMENT

Proactively neutralize misconfigurations to minimize exposure risks

Mobilizing Threat Remediation

Identify and mobilize threat remediation across the security stack automatically.

GENERATIVE AI SECURITY

Chat with your environment to cut MTTR times drastically

Solutions

Safe Remediation

Ensure remediation actions do not give rise to additional exposures

MITRE ATT&CK®

Quickly respond to live threats with safe and precise remediation

VERITI FOR Enterprises

Increase business outcomes

VERITI FOR MSSPs

Efficiently manage multiple clients in a consolidated platform

VERITI FOR HEALTHCARE

Neutralize security gaps without impacting healthcare operations

VERITI FOR MANUFACTURING

Protect the heart of your production processes

SEC AND THE BUSINESS

A security pro’s guide to exposure assessments and remediation

 

Read Whitepaper >>

Resources

See all resources

Blog

Veriti's security blog

Downloads

The latest guides, white papers and infographics

Events

Live event and on-demand webinars

Glossary

Our Comprehensive Definitions Guide

MASTERING MODERN OS-LEVEL SECURITY: THE AGENTLESS APPROACH

WATCH NOW>>

Our Story

Learn about Veriti

Careers

Work with us

Newsroom

Our latest updates

Contact US

Get in touch

CHANNEL PARTNERS

Become a partner

MSSPs

Reduce operational costs