Shellshock: Millions of servers under attack

News by Tim Ring

In the wake of Shellshock, end-users and security managers race to patch web servers and desktops, but may be forgetting vulnerable embedded devices.

Millions of servers are being targeted by cyber-criminals looking to exploit the ‘Shellshock' flaw that was revealed late last week as hitting many of the world's Linux and Unix-based systems.

User companies are racing to patch their exposed servers and desktops, with Shellshock potentially affecting between one third and a half of all internet servers, as well as ‘*nix' desktops like Apple Macs.

But UK security experts have warned that users may be fatally neglecting to fix their embedded devices like routers, which are the systems most vulnerable to attack.

Security firms have tracked an avalanche of attacks since last Thursday.

In a 29 September blog post, Incapsula says it detected over 217,000 exploit attempts in four days, targeting more than 4,100 web domains.

Attacks were running at the rate of nearly 2,000 an hour, the company said, and were being launched from nearly every country in the world, with the US and China being the worst offenders.

Of the 900 attack IP addresses worldwide, nearly a fifth were in the US and over 10 percent in China, with 1.75 percent of attacks originating in the UK.

Incapsula's Ofer Gayer said around two-thirds of the attacks were scans to verify the existence of the Shellshock vulnerability, almost all of them targeted rather than automated scans.

But Gayer added that over 18 percent of the attacks were direct attempts to hijack the server, using Python or Perl scripts, while others were attempts to inject the server with DDoS malware and turn into a botnet ‘zombie', or to hijack the server with IRC bots so it could be remotely controlled from internet relay chat rooms.

Gayer said: “We strongly suggest that all administrators take steps to patch their systems, as soon as security patches are available.”

Meanwhile, website management firm CloudFlare tweeted on 29 September to say it was experiencing more than 1.5 million Shellshock attacks across its global network daily, lately concentrating on its Paris data centre.

Trend Micro also reports that “the floodgates have opened for Shellshock-related attacks”, identifying targeted information-gathering attacks against a financial institution in China and official institutions in Brazil.

FireEye too says exploitation of the bug is “in full swing”, reporting malicious traffic, some of it originating from Russia, that has variously mounted DDoS attacks and carried malware droppers, reverse shells and backdoors.

In the face of this threat, user companies have been issued with a series of partial patches to the ‘Bash' or ‘Shellshock' flaw (CVE-2014-6271) which for decades had been sitting unnoticed in the open-source Bash (Bourne Again Shell) command shell which is used in most Unix, Linux and related systems.

The latest patch, created by RedHat Software's Florian Weimer, is claimed to close down the gaps found in two previous fixes.

“This patch changes the encoding Bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable's contents to determine whether or not to interpret it as a shell function,” the official Bash report said.

Manufacturers have also issued individual patches, as reported by last week.

On Monday they were joined by Apple, which released three fixes - OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion and Lion.

Apple said last Friday that “the vast majority” of Apple Mac OS X users were not affected by Shellshock, but has issued the patches to cover all users.

However, security firm Lacoon has warned that the bug also affects rooted or jailbroken Apple and Android mobile phones.

In a 29 September blog post, Lacoon's Ohad Bobrov says: “Neither Android nor iOS devices that have just left the box include any Bash shells, making them immune to the problem. However, once a device has been either rooted and/or had a custom ROM installed (Android) or jailbroken (iOS), there is every chance that a Bash shell has been installed, making the device just as vulnerable as a desktop Mac or web server.”

Bobrov cites research which says the two newest iOS jailbreaks were downloaded around 5 million times, while one popular Android rooting kits has just over 1 million downloads.

Picking up on this theme, UK security expert Alan Woodward, visiting professor at Surrey University's Computing Department, has warned that users may be forgetting to patch other crucial kit, such as routers and other embedded devices.

He told “A lot of key servers are being patched and it's good that the message got out there, people heard it. But the biggest concern is over embedded computing - the routers, the web-enabled devices.

“They are less likely to be updated – either people don't upgrade them because they don't think about them or actually there isn't a fix sent out for them.

“But also they're likely to be more vulnerable as well, because they make a great deal more use of CGI and Bash for their web-facing functionality.

“I think the big residual risk is these embedded devices.”

Keith Bird, Check Point's UK managing director, agreed, telling SC by email: “Shellshock is such a far-reaching issue that all vulnerable devices need to be patched against the vulnerability, even if they are simple routers or similar connected products. We've already seen attempts to hijack these types of device in order to mount DDoS attacks against targets.”

However, Woodward said he was optimistic that companies will be properly patching their main systems, despite the series of partial fixes that were issued.

“If we've got good system admin and system ops people out there, I would hope that if they're paying enough attention to have heard the original message, they'll have heard that some of the initial patches left a few loopholes which could still be exploited,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews