11M SSH Servers Terrapin Attack

Previously, in December 2023, it was reported that SSH servers were vulnerable to the new Terrapin Attack in which threat actors can downgrade an SSH protocol version, making it vulnerable to exploitation. In addition, this attack can also be used to redirect victims into an attacker-controlled shell.

The root causes of this attack were an authentication flaw in the SSH handshake and the non-resetting of sequence numbers. This contributes to several attacks over SSH servers, such as Prefix Truncation, sequence number manipulation, and extension negotiation downgrade attacks.

11 Million Vulnerable Servers

According to the reports shared with Cyber Security News, nearly 11 million SSH servers worldwide were discovered to be vulnerable to this terrapin attack, according to Shadowserver. Though there are no confirmed reports of exploitation, every country has many servers that could be exploited.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

This report was based upon the search conducted with Shadowserver with search queries containing “ssh,” “ssh6,” and “CVE-2023-48795” with current dates. Additionally, these servers include IPv4 and IPv6 SSH servers. The CVE has been given a severity rating of 5.9 (Medium).

Shadowserver statistics on vulnerable SSH server
Shadowserver statistics on vulnerable SSH server (Source: Twitter/@Shadowserver)

The USA tops the list with more than 3.3 Million servers, followed by China with 1.3 Million servers. Germany and Russia were found to have 1 Million and 700K vulnerable servers, respectively.

Subsequently, Singapore, Japan, France, the UK, and the Netherlands had nearly 350K to 400K vulnerable SSH servers. Hong Kong, Canada, and India were also found to contain approximately 200K and 300K vulnerable SSH servers.

Nevertheless, there has been no evidence of exploitation of this attack by threat actors in the wild. Considering the scope of the attack, there are higher chances that a terrapin attack might become a promising target for cybercriminals.

It is recommended for organizations to take appropriate security measures to prevent this terrapin attack and stop them from becoming a victim of threat actors.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.