Shellshock Still Exploited

Friday, July 31, 2015 @ 02:07 PM gHale

Some bugs and viruses just don’t go away. Shellshock is a perfect case in point. Attackers are still leveraging the Bash bug, researchers said.

Discovered in September last year, researchers found there are still numerous vulnerable systems and bad guys are s leveraging the vulnerability, said Solutionary’s Security Engineering Research Team (SERT).

Attackers Still Seeking Shellshock Victims
Attackers Exploit ShellShock via Botnet
‘Air Gapped’ Systems Targeted
Safe Air Gaps Not Protected

Attackers have found new ways to exploit the Shellshock vulnerability, according to data collected by Solutionary in Q2 this year.

In addition, attackers adapted their techniques in an effort to bypass intrusion prevention systems, and they learned to extend successful compromises.

Solutionary found 600,000 Shellshock-related events coming from over 25,000 unique IP addresses, although the security firm noted nearly 60 percent of traffic associated with attempts to determine if systems are vulnerable to attacks.

Shellshock traffic traced back to 138 countries, but service providers and businesses based in the United States accounted for almost half of the events. Shellshock traffic also originated in China, Korea, the UK, Germany and Japan.

An analysis of the source addresses found of all the ISPs through which the attacking systems ended up registered, GoDaddy topped the list.

As for the targeted industries, researchers said education topped the list as the most targeted sector, accounting for 38 percent of observed events.

“The majority of successful attacks resulted in successful download and execution of bash shell scripts. Payloads were diverse, but the most common payloads were shell scripts and .c.txt. Other payloads included ELF binaries, Perl scripts, PHP scripts and tgz files such as, cata.txt as well as several others,” Solutionary said in its report.

Click here to download Solutionary’s Q2 2015 threat report.