It seems like once or twice a year threat researchers discover a massive and often internet-exposed software vulnerability that allows cybercriminals to gain control of a vulnerable computer. Attackers can then use the computer as a foothold that leads to serious damage in a targeted organisation.
Do you remember Dirty COW (CVE-2016-5195), runc (CVE-2019-5736), Sudo (CVE-2019-14287), ZeroLogon (CVE-2020-1472), PwnKit (CVE-2021-4034) or Dirty Pipe (CVE-2022-0847)? Recently, regreSSHion (CVE-2024-6387) joined the list of vulnerabilities with “elegant” names and large potential impact. It was discovered and disclosed by the Qualys Threat Research Unit.
RegreSSHion: a new OpenSSH software vulnerability
RegreSSHion is a vulnerability in the OpenSSH security service. OpenSSH is an open-source tool that enables secure system administration, file transfers and other communication over the internet or untrusted networks. It is found in many Unix-based operating systems like Mac and Linux.
Qualys states in its vulnerability disclosure blog that regreSSHion, if exploited, could lead to a full system takeover. Attackers could use the compromised system to exploit other vulnerable systems within a company, bypassing critical security mechanisms.
The depth of this impact, combined with the massive breadth of its public availability, creates a global challenge. Qualys estimates that there are more than 14 million potentially vulnerable OpenSSH server instances on the internet. It also estimates that about 700,000 external internet-facing instances are vulnerable.
That is a large number. So, let the patching begin, right? That way, we can all move on to the next security challenge. But wait – not so fast.
Patching takes time – meanwhile, attackers can bypass security controls
Even the best IT teams can take a long time to patch vulnerabilities. For some teams, the work can stretch into months, years or even longer. This extended exposure time is a serious problem. Threat actors can scan the internet to look for vulnerable systems, just like security researchers do.
How can businesses protect themselves in the pre-patching phase? Should they use log-based monitoring, firewalls or agent-based EDR or XDR security systems to detect and stop intrusions?
These security measures are not sufficient. Keep in mind that regreSSHion provides bad actors with root-based system privileges on the infected host. That means that they likely can turn off or bypass security controls that operate on or via the host. This is a fundamental weakness of local security controls. They are both visible and available for manipulation by malicious actors who have gained system administrative privileges.
ITDR security systems, including deception-based detections, provide defence-in-depth
So, what can your business do during the vulnerable period between the public announcement of a CVE, such as RegreSSHion, and when your IT teams can find and patch vulnerable systems? After all, it is during this critical time that the vulnerability is also known and findable by adversaries. This is where an ITDR solution in general and deception-based security controls in particular can come into play—and can truly shine.
Signature or behaviour-based detection systems need telemetry to detect a threat actor’s presence. And they must be active to collect data and execute analysis. However, as noted earlier, once they have root system administrative privileges, attackers can, in many cases, simply disable or bypass these systems.
Deceptions work differently. Tools like Proofpoint Shadow can deploy authentic-looking resources—like files, accounts and services—throughout the enterprise. These resources serve as lures for threat actors who want to use them to move laterally and escalate privileges. When they attempt to do that, a silent detection alert is triggered and forensic data is sent to the incident response team.
With deceptions, there is nothing for a malicious actor to find and turn off. There is no agent running locally. And there is no need for log files to be collected and analysed to detect the presence of a threat actor. A malicious resident cannot tell the difference between real and fake local resources on any given host without trying to use them first. And using them to attempt to move laterally, of course, is the ultimate tell.
In the case of regreSSHion—or any other past, present or future vulnerability—deception-based threat detection can be a highly effective defence-in-depth strategy. When combined with identity vulnerability discovery and remediation conducted before the arrival of a malicious actor, together they can stop software vulnerabilities from leading to significant breaches.
Learn more about Proofpoint Identity Threat Defense
Proofpoint Shadow, a component of Proofpoint Identity Threat Defense, creates a rich maze of false data and fake routes through your enterprise. Even the most advanced cybercriminal can’t tell what’s real and what’s not. This makes it nearly impossible for attackers to move toward your critical IT assets without being detected. Download the solution brief to learn more.
For a broader discussion of how Proofpoint’s ITDR solution, Identity Threat Defense, can provide even broader defences against attackers that have attained an initial foothold in your organisation, check out the Proofpoint Identity Threat Defense solution.