Malicious Shellshock Traffic Invades the Web

Written by

Security experts are urging firms to patch the Shellshock bug as soon as possible, after spotting a “significant amount” of malicious traffic exploiting the Bash vulnerability made public last week.

FireEye’s Michael Lin, James Bennett and David Bianco co-authored a lengthy blog post on Saturday claiming the exploitation of Shellshock is now “in full swing” with DDoS, data exfiltration, malware droppers, and reverse shells and backdoors all spotted.

“Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack,” they continued.

“We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise.”

The initial patch made available at the time the vulnerability was disclosed last week was found to be incomplete, so as vendors rush to get a new one out, attackers are scanning the web looking for vulnerable machines, FireEye said.

With Bash so deeply ingrained in organizations’ systems for over 20 years, the extent of the Shellshock bug could be huge.

“The list of potentially vulnerable systems is long indeed, including everything from traditional home users and enterprise servers to Unix-based ISC/SCADA systems and embedded devices,” said FireEye.

“Given the sheer number of vulnerable systems, the severity of exploitation outcomes and the relative ease of exploitation, we expect to see significant use of this vulnerability by malicious actors, particularly in automated attacks.”

Most malicious activity spotted so far has been focused on the Common Gateway Interface (CGI) vector, although web servers are by no means the only elements of IT infrastructure at risk.

FireEye has compiled a list of exploitation techniques and malware payload analyses related to Shellshock here.

Director of technology strategy, Jason Steer, argued that the incident has highlighted the importance of code reviews.

“We need to challenge our assumptions on a more regular basis to make sure that we pick up on vulnerabilities like this,” he told Infosecurity.

“Linux is what I would call the basic plumbing of the internet, and because it has been so well trusted for all these years, we’ve not gone back to check. Not only do we need to get better at revisiting older code, but we also need to get better at our asset management.”

To help organizations locate the Bash bug on their systems, threat detection firm Tripwire has released a new tool.

“We’re already seeing widespread scanning and automated exploits for this bug so it’s crucial that IT teams find and patch all affected systems as quickly as possible,” said director of security research, Lamar Bailey.

What’s hot on Infosecurity Magazine?