First attacks from Shellshock bug

This week's big story saw the discovery of the Bash/Shellshock bug which affects most Linux and Unix-servers, including Mac OS X devices and Wi-Fi routers.

Bash/Shellshock bug (CVE-2014-6271) has been described as being bigger than the Heartbleed OpenSSL flaw and affects the free, open-source Bash (Bourne Again Shell) command shell which has been used in Unix, Linux and related systems to run computer commands since the 1980s.

The bug enables hackers to exploit the ‘environmental variables' within the shell to hijack another computer or server and run their own code remotely, if the default option of remote login is allowed.

The vulnerability is reported to be present in Bash version 1.13 up to and including version 4.3, and was discovered by security researcher Stephane Chazelas.

Crucially, it affects millions of web servers and up to 500 million computers. According to latest Netcraft figures, around 35 percent of the worlds' billion-plus websites are run on Apache/Unix servers - putting more than 300 million sites at risk from the bug.

Several security firms are seeing the first attacks exploiting the vulnerability, with some cyber-criminals looking to create networks of infected machines (botnets) and others attempting to install malware.

“Shortly after disclosure of the Bash bug called "Shellshock" we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271,” wrote Stefan Ortloff on Kaspersky's blog today.

“The most recent attempts we see to gain control of web servers just create a new instance of Bash and redirect it to a remote server listening on a specific TCP port. This is also known as a reverse-connect-shell.”

He went onto add: “In another on-going attack the criminals are using a specially crafted HTTP-request to exploit the Bash vulnerability in order to install a Linux-backdoor on the victim's server. We're detecting the malware and its variants as Backdoor.Linux.Gafgyt.”

Analysts and other industry observers hope that this will result in increasing focus on information security.

“Shellshock will be a test of business resolve to prioritise security," says John Colley, professional head in the EMEA for training body (ISC)2.

"So much of the data breaches that make headlines today can be traced to old or known vulnerabilities that have not been addressed. Now that shellshock has been revealed, and the door has been thrown open, it will be interesting to see if companies take action.”

Cyber Armageddon claims: True or FUD?

One of the more eye-catching stories this week came when a leading US regulator warned that the world must prepare for an ‘Armageddon-style' cyber-attack, a kind of digital equivalent of 9/11.

Benjamin Lawsky, superintendent of the New York State Department of Financial Services, told press at a Bloomberg conference that it is only a "matter of time" before there is a systemic attack on the global financial system.

“They [cyber attackers] are breaking into everything. It is only a matter of time before something happens that is more systematic and problematic,” he said.