Security researchers were the first to respond during the Shellshock attacks of 2014. After news of the fatal flaw in the prevalent Bash (Bourne Again Shell)— found in most versions of the Unix and Linux operating systems as well as in Mac OSX —was released, researchers started looking into how it can be used against affected web servers. The Shellshock flaw seemed to have posed an immediate threat to over half a billion devices and systems worldwide.
Researchers fears were soon realized. Cybercriminals quickly added Shellshock to existing attacks meant for devices and servers which use the 25-year-old Bash. A few hours after the vulnerability was made public, Trend Micro researchers already found an exploit emerge in the wild. A sample of this exploit reveals the malware payload, ELF_BASHLITE.A, which does not only allow for remote access but also for distributed denial-of-service (DDoS) attacks.
Several organizations were quick to respond, probably still reeling from the recent OpenSSL flaw Heartbleed, discovered only a few months before Shellshock. The Canadian government took some vulnerable systems offline as a precaution. The US Federal Financial Institutions Examination Council (FFIEC) warned financial institutions about the risks of Shellshock. The United Kingdom’s national computer emergency response team, CERT-UK, also issued an alert about the flaw.
Concerns were widespread about how Shellshock could “spell trouble for web security” given that it takes only a few lines of code to compromise the flaw in affected web servers. After performing tests, we found that not every system that runs Bash could be remotely exploited, however, OSs whose default shell is Bash are vulnerable.
Shellshock Tremors Still Being Felt
More Bash vulnerabilities and related payloads were found a week after the disclosure. Shellshock was used in DDoS attacks against servers using a popular cloud service provider, including a government server. It was seen used in exploit attempts against government institutions in Brazil and a financial institution in China. A related payload was seen downloading the source code of KAITEN, a malware used to carry out DDoS attacks. Apart from servers and devices, Shellshock was also used to exploit protocols like Dynamic Host Configuration Protocol (DHCP), which assigns IP addresses to clients; and Simple Mail Transfer Protocol (SMTP), which allows for email transmission.
One year after, the panic has subsided, but the threat goes on living. Attacks related to Shellshock continue to plague our digital world. Since the second quarter of the year, we have seen about more than 70,000 attacks using Shellshock and about 100,000 attacks using Heartbleed. One of our honeypots, which are vulnerable to Shellshock, has recorded 50 attacks in the past 15 days alone.
Threat infections related to Shellshock proliferate worldwide. Comparing a year ago to now, the most affected regions remain quite the same. In the first month of Shellshock’s discovery, majority of the infected machines were mostly found in Asia (34%), Europe (34%), and North America (11%). For the past month, most infected machines were found in Asia (46%), Europe (23%), and North America (14%). Weak patching practices prevalent in Asia contribute to the high number of infections in the region.
Figure 1. Regions affected by Shellshock, September – October 2014
Figure 2. Regions affected by Shellshock, August – September 2015
While we have not seen proof of major attacks that exploit Shellshock, this does not discount the fact that it’s a widespread flaw which attackers can exploit to bring real-world harm. It can be used to gain remote access, launch DDoS attacks, spread malware, deface websites, create bots, steal data, send spam and phishing emails, and run other malicious commands. Attackers who are imaginative enough can choose from endless scenarios to attack vulnerable applications and networked devices that use Bash, including routers, IP cameras, gateways (e.g., Citrix’s NetScaler, F5’s BIGIP, and Cisco products), and Web CGI programs.
Open Source, Open Doors
When Brian Fox and Richard Stallman worked on Bash two decades ago, they did not realize they were building one of the keystones of the modern Internet. At the time, software vulnerabilities were distant problems. Today, millions of networks risk compromise due to a flaw that was left open for years, and that was only the start.
Several other vulnerabilities in the open source ecosystem have been uncovered in response to the Heartbleed-Shellshock panic. We looked at vulnerability counts and noticed that, out of the 4,310 total CVSS vulnerabilities discovered as of August this year, 29 are OpenSSL vulnerabilities. This exceeds the 24 total number of OpenSSL vulnerabilities found in 2014.
Figure 3. OpenSSL vulnerabilities discovered in 2014 vs those discovered in January- August 2015
Weeks after Shellshock, Google researchers discovered the so-called POODLE (Padding Oracle on Downgraded Legacy Encryption) attack on popular security protocol SSL (Secure Sockets Layer) 3.0. They found that it’s possible for attackers to hijack transactions and steal credit card information. Like Shellshock, the POODLE vulnerability attacks a technology that has been existing for years, 15 to be exact.
Yet another legacy of the 90s surfaced when university and industry researchers performed the FREAK (Factoring RSA Export Keys) attack on the authentication protocol TLS/SSL (Transport Layer Security/ Secure Sockets Layer). Roughly 10% of top domains as well as Android and Safari web browsers were put at risk because of the limits placed on “export-grade” encryption standards in the 90s.
The same low-grade encryption problem was what also made the Logjam attack possible, as researchers discovered in May this year. This flaw allows an attacker to weaken the encryption used in secure connections (such as HTTPS, SSH, and VPNs), break them, and read “secure” traffic.
It’s not only the volume of OpenSSL vulnerabilities that organizations and end users should be concerned about. Several incidents concerning CVSS 10.0 vulnerabilities, or those that are easy to exploit remotely and require no authentication, have risen during the past year. Examples of these were flaws found in Windows Secure Channel (Schannel), web apps or tools like phpMoAdmin and Magento, and a Windows group policy vulnerability (MS15-011), for which Windows 2003 was provided no solution.
Are Devices and Servers Safer?
Based on these observations, we believe that Shellshock, along with Heartbleed and other vulnerabilities in the open source platform, reopened what we can view as cold cases in the security industry. Their discovery prompted discussions for better vulnerability disclosure especially for age-old software that underlies millions of connected systems. They have to be put out there to be resolved.
Discovery is not enough. These vulnerabilities presented more ways for attackers to get inside affected networks. Unless patched, devices and servers are a long way from being considered safe from attacks.
However, for most organizations, patching remains a problem. Not all systems can easily be patched, especially legacy software. Most devices and servers remain open to the possibility of compromise. To defend systems, IT administrators should consider deploying multilayered security solutions that detect and block exploits of vulnerabilities, such as those found under the Trend Micro Cloud and Data Center Security, the Trend Micro Custom Defense and the Smart Protection Suites, as follows:
- Active monitoring for vulnerabilities and threats and developing quick protection in Deep Security help defend servers and data centers from old and new exploits.
- Specialized detection engines and custom sandboxing to identify possible attacks using these exploits, as provided by the Deep Discovery Inspector, can help in the rapid response against cyber attacks.
- Advanced vulnerability shielding and virtual patching in Vulnerability Protection keeps endpoints shielded until patches can be deployed, or indefinitely for out-of-support or un-patchable systems, like those still running Windows 2003.
We updated the entry to include more findings about Heartbleed and Shellshock attacks.
Updated on September 28, 2015, 2:11 AM PDT (UTC-7) to correct POODLE’s discovery date.