Observing Shellshock Attacks in the Real World

Pavel Ignatov Shutterstock

A look at some of the Shellshock-related reports from the past week makes it seem as if attackers are flooding networks with cyberattacks targeting the vulnerability in Bash that was disclosed last week. While the attackers haven’t wholesale adopted the flaw, there have been quite a few attacks—but the reality is that attackers are treating the flaw as just one of many methods available in their tool kits.

Bash is widely used in Linux and Unix systems, and many applications—such as Apache—hook into Bash to set environment variables. This means there are a lot of vulnerable servers and embedded devices out there. Some are Internet-facing, and some are not. And end-users can’t be complacent and think this is yet another big flaw affecting only big servers just because Mac OS X uses Bash: There is a large pool of potential victims out there, and attackers are actively looking for them.

Click here to find IT security-related jobs.

Security experts have warned that, because the flaw is so widespread, and the fact that a successful attempt would give the adversary shell access, a large number of attacks is looming. The good thing about the vulnerability, despite that scary-sounding “Shellshock” name, is that defenders can tell when attackers are targeting the flaw. “Everyone should watch their logs carefully—this exploit is noisily and easily logged,” said Daniel Ingevaldson, CTO of Easy Solutions.

The numbers coming out of security vendors and researchers are pretty staggering. Dell SecureWorks reports that it “repelled” 140,000 scans looking for vulnerable systems, as well as attacks targeting the flaw against its clients, between Sept. 24 and Sept. 29. Incapsula “deflected” more than 217,089 exploit attempts on over 4,115 domains between Sept. 24 and Sept. 28.

One way to get a front-row seat of what the attacks look like is to set up a honeypot. Luckily, threat intelligence firm ThreatStream released ShockPot, a version of its honeypot software with a specific flag, “is_shellshock,” that captures attempts to trigger the Bash vulnerability. Setting up ShockPot on a Linux server from cloud host Linode.com is a snap. Since attackers are systematically scanning all available addresses in the IPv4 space, it’s just a matter of time before someone finds a particular ShockPot machine.

Upload Your ResumeEmployers want candidates like you. Upload your resume. Show them you’re awesome.

And that was definitely the case, as our honeypot captured a total of seven Shellshock attack attempts out of 123 total attacks. On one hand, that’s a lot for a machine no one knows anything about; on the other, it indicates that attackers haven’t wholesale dumped other methods in favor of going after this particular bug. PHP was the most common attack method observed on this honeypot, with various attempts to trigger vulnerabilities in popular PHP applications and to execute malicious PHP scripts.

The attempts fell into two categories: reconnaissance and attack. The first category includes proofs-of-concept testing to see if the machine was vulnerable, as well as attackers collecting IP addresses of vulnerable systems to use in a later attack. The attempts added commands to request headers such as “Referer,” “User-Agent,” and “Cookie:” fields, as well as custom headers.

There were two outright attack attempts from IP addresses in China and Singapore which confirmed the system was vulnerable, and then attempted to download and execute a file—presumably malicious—from another website. Relying on the IP address to determine the origin is overly simplistic and ignores that anyone can use TOR or route attacks through various relays, so the fact that the attacks came from China and Singapore may not be overly significant.

While the ShockPot exercise was eye-opening, it also highlighted one of the challenges defenders face in identifying vulnerable scanners. Whether or not the machine is vulnerable to attack is “not as ‘simple’ as ‘be running Bash,'” said Tod Beardsley, an engineering manager at Rapid7, because it’s important to consider how Bash interacts with other network applications. The ShockPot honeypot only looks at attacks on HTTP, but researchers have identified ways to target SSH, DHCP, and other network applications. FireEye recently reported on attacks targeting network-attached storage devices, for example. Focusing only on HTTP is too risky.

It didn’t take cybercriminals long to start scanning systems on the Internet in search of vulnerable machines, and there have already been reports of worms and attempts to build botnets. Businesses—and individual users—should be patching Bash as soon as the updates are ready. Most of the Linux distributions released updates shortly after the flaw was publicized, and Apple updated OS X earlier this week.

“This is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote,” Beardsley said.

Related Articles

Image: Pavel Ignatov/Shutterstock.com

One Response to “Observing Shellshock Attacks in the Real World”