As if the Shellshock Bash bug wasn’t bad enough, there is evidence that it’s being used as a medium for hackers to exploit Internet users with the attackers attempting to mask their source. The news comes from Peak 10’s technology partner, SilverSky.
The company reported in a recent blog that its Shellshock detection methods identified a clear attempt at stacked command injection. (For the non-technical among us, command injection is an attack in which the goal is to execute arbitrary commands on the host operating system through a vulnerable application.) Command injection attacks are possible when an application passes unsafe user-supplied data, such as cookies, to a system shell. In this instance, the attackers tried to mask the source of the attack by using a variety of hosts from around the world.
As SilverSky’s security experts explained, the use of Shellshock as a delivery medium for an attack is probably the most obvious use of the Shellshock vulnerability. Typically, delivery is focused on user actions, such as bad coding practices or users clicking on something they shouldn’t. With the Shellshock vulnerability, extremely common practices and software can be exploited without any action from a user.
With the attack delivery successful, hackers can then download and execute a custom script designed to perform malicious actions such as implanting malware or stealing sensitive information. In the attack identified by SilverSky, the perpetrators were attempting persistent access — accessing the system and staying there undetected. The attack script was designed to cause the target server to connect outbound, which is likely to be allowed out of a firewall, over port 9091 back to a system the attacker controls. Using this open connection, the attacker could send commands back to the target server.
To cover their tracks, the attackers deleted the script after it was executed. They also tried to further mask their presence by using the seemingly harmless hostname “google-traffic-analytics.com” and placing the script in a file named clamd_update. Even the most experienced systems administrator could easily overlook a process running by that name.
This is just one example of what an attack using the Shellshock vulnerability looks like — and how easy it is for it to be executed. The number of different types of attacks identified already are in the double digits and the number of victims even higher. But it’s not all doom and gloom. SilverSky’s chief technology officer, Andrew Jaquith, recently presented a webinar entitled “What We Can Learn from Recent Data Breaches & the Shellshock Vulnerability.” It provides good information on how companies can better protect themselves from the emerging and evolving security threats. Another good resource to check out is Shellshock, a paper by David A. Wheeler.
The Shellshock Bash bug isn’t going away. But the good news is that neither are the security experts, like those at Silversky, who are committed to fighting it.