Security training organization the SANS Institute has warned that the notorious Shellshock flaw is still being exploited on unpatched Network Attached Storage (NAS) kit from QNAP.
The Shellshock or 'Bash bug' rocked the information security world when it was discovered in September. In essence, it allows attackers passing commands to the widely used Bash (Bourne Again Shell) to execute arbitrary code.
The US National Vulnerability Database gave it the highest severity rating of 10/10, revealing that it does not require authentication to exploit.
SANS dean of research, Johanes Ullrich, claimed in a blog post on Sunday that despite the release of a patch in October, “applying the patch is not automatic and far from trivial for many users.”
As a result they are still vulnerable to an active exploit.
“The attack targets a QNAP CGI script, "/cgi-bin/authLogin.cgi", a well known vector for Shellshock on QNAP devices,” he continued.
“This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware.”
Once compromised, the NAS devices attempt to carry out click fraud against ad network ‘JuiceADV’ and then the malicious script patches Shellshock and reboots the device. This is most likely to prevent any other malware compromising the device.
Ullrich added that infected NAS units have also been observed scanning for other vulnerable devices.
Imperva director of security research, Barry Shteiman, claimed that the most used vulnerability in attack campaigns against web apps in November was Shellshock.
“This isn’t a surprise. Once a vulnerability – especially one that has some fame in it – is immediately adopted by hackers … it gets added to hacking kits, malware and botnets. It also spawns hackers to try and break into systems that are of interest to them,” he argued.
“It makes perfect sense for hackers to have some appetite for storage systems; at the end, that’s where unstructured data resides.”
Jon French, security analyst at AppRiver, added that systems administrators need to stay on top of things to minimize the risk of known vulnerabilities being exploited.
“A lot of it comes down to human error of just not taking care of servers properly. With most new bugs found, there is almost always a quick workaround and an official patch to follow shortly,” he argued.
“But it’s up to an administrator to stay on top of it and be aware of the problem to begin with. No one wants to find themselves a victim of something that could have been prevented by an update or changing a setting.”