Shellshock Attackers Still Landing Punches on Unpatched Users

Over 140,000 security events in January can be tied back to the Shellshock vulnerability more than four months after it was first discovered, as organizations continue to ignore warnings and fail to patch key systems, according to Imperva.

The California-headquartered data center security vendor claimed its Community Defense System has revealed some interesting stats on vulnerability exploitation attempts.

Three of the top 10 most targeted flaws – CVE-2014-6271, CVE-2014-7169 and CVE-2014-7186 – were Shellshock related, while 87% of the events tying back to this top 10 were linked to the infamous vulnerability.

That amounts to 140,573 out of 160,510, according to Imperva’s reckoning.

“This proves one important thing,” argued Imperva’s director of security strategy, Barry Shteiman.

“Vulnerabilities don’t die as fast if there is a patch available. If anything, hackers adapt them into their attack patterns because they understand that not everyone – and I dare say the majority – do not patch.”

Shellshock was first revealed to the world at the end of September 2014.

The flaw is found in Bash (the Bourne Again SHell) – an extensively used shell for evaluating and executing commands from other programs.

Some commentators branded it worse than Heartbleed because it affects servers like Apache which help manage huge volumes of internet traffic.

However, after initial problems, there has been a widespread effort on the part of the vendor community to make available patches for the vulnerability in their products.

The trick now is to encourage customers to download said fixes.

Tripwire director of security and risk, Tim Erlin, argued that Shellshock is widespread and easy to exploit, making it “a popular tool in the attacker’s kit.”

“Investing in the latest ‘next gen’ security tool may be more interesting, but it does little good if fundamental controls like vulnerability management are ignored,” he told Infosecurity.

“Vendors are complicit in this problem as well. Even organizations that address vulnerabilities effectively have exceptions where a system is difficult to patch, or a vendor doesn’t provide a timely patch.”

In December, the SANS Institute was forced to issue an alert about NAS boxes from QNAP being targeted for use in click fraud campaigns.

Despite a patch being available for the affected storage products, applying it is “not automatic and far from trivial for many users,” wrote dean of research, Johanes Ullrich, in a blog post at the time.  

What’s Hot on Infosecurity Magazine?