Shellshock Attacks Raging

Wednesday, October 1, 2014 @ 10:10 AM gHale


Ever since the existence of the GNU Bash flaw (Shellshock) came to light last week, bad guys have been on the hunt for computers they can exploit, researchers said.

The Shellshock vulnerability is dangerous because it can end up exploited to remotely execute code on affected machines, which could lead to malware injections, data theft and server hijacking. Because the shell sees wide use, millions of users are at risk, said researchers at Incapsula.

RELATED STORIES
Honeypot Finds Shellshock Attacks
Shellshock: Cisco Lists 31 Vulnerable Products
After Fix, New Bash Flaws Found
‘Shellshock’ Details Unveiled

In fact, in the four days since researchers disclosed the vulnerability, Incapsula’s Web application firewall deflected more than 217,000 exploit attempts on over 4,100 domains. The company estimates the total Shellshock attacks could be as high as 1 billion.

Close to 900 IP addresses from almost every country in the world have participated in the attacks documented by Incapsula. The majority of the exploit attempts traced back to the United States and China. In the first 24 hours, these two countries accounted for over half of the attacks.

Scanners designed to verify the existence of the vulnerability accounted for 68 percent of the Shellshock attacks detected by Incapsula. Only 6 percent of them were automated tools; the rest were probing attempts likely to lead to an attack.

Roughly 18 percent of the attacks observed by the company involved shells. In these operations, the attackers attempted to gain remote access and hijack servers. Some threat groups also leveraged the Shellshock vulnerability to plant DDoS malware. These types of attacks accounted for 16 percent of the hits recorded by Incapsula.

In a small number of attacks (0.7 percent), cybercriminals attempted to hijack servers with IRC bots. Others have tried to exploit the Bash vulnerability for reflected DDoS attacks. According to Incapsula, the average attack rate has nearly doubled over the past days, reaching close to 2,000 attacks per hour.

Security firms have already updated their solutions to ensure that customers have protection against Shellshock attacks. In the meantime, companies whose products use the GNU Bash shell have started releasing updates to fix the bug.

Apple said most OS X users are not vulnerable, unless they have configured advanced UNIX services. The company released an update on Monday to ensure all its customers have protection.

Oracle and Cisco, both of which have numerous products that rely on the shell, started rolling out security updates.

The initial vulnerability, CVE-2014-6271, ended up patched quickly. However, the fix turned out to be incomplete so a new CVE ended up assigned, CVE-2014-7169. Later, Red Hat Product Security researcher Florian Weimer identified additional issues that gained CVE-2014-7186 and CVE-2014-7187 case numbers. Patches are available for these flaws as well.



Leave a Reply

You must be logged in to post a comment.