A year after the initial flurry of Shellshock activity, the software bug is still wreaking havoc.
This was the major finding from the Security Engineering Research Team Quarterly Threat Report for Q2 2015 by Solutionary, an NTT Group security company and the next-generation managed security services provider.
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some Web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorised access to a computer system.
During the second quarter of 2015, Solutionary security researchers and analysts uncovered information and intelligence through research into significant events identified through global visibility of the Solutionary client base.
It identified several campaigns targeting the Bash vulnerability during the latest quarter - more than 600 000 events from 138 countries originating from more than 25 000 IPs and 2 027 different service providers.
Shellshock was targeted more at education (38%) than at technology (17%), healthcare (6%), finance (5%) and manufacturing (5%) combined.
The identified campaigns include Hidden C, China Z, Lucky Socks and the QNAP worm, designed typically to set up larger botnets under the control of the attacker and establish backdoors to systems to allow access to contents or further compromise.
Jeremy Scott, senior research analyst at Solutionary, says because of the nature of the vulnerability and the extent of applications that make use of the Bash shell, systems are left vulnerable due to poor patching practices or the lack of patching all together.
"The vulnerability is simple to exploit and makes it extremely easy for criminals to extend their network of compromised hosts and botnets, which makes it a worthwhile effort to identify and leverage vulnerable hosts," he points out.
Scott explains Shellshock is the name that was given to a vulnerability that affects the way Bash handles environment variables. "By passing a malicious environment variable through a header field to Bash, an attacker can get Bash to execute the contents of variable as a command. The commands and resulting actions are limited only to the imagination of the attacker."
He advises that to protect themselves, at minimum, users should apply patches to any Web-enabled devices, especially if they are running the Bash environment.
Among other highlights, Solutionary analysis found the US and China were the leading sources of command and control traffic, with 21% and 20% of the share.
Additional research found that 48% of the top 25 hostile non-US IP addresses are "Bruteforce" repeat offenders.
According to the research, the largest single source of malware threats, representing almost 46% of all malware, originated from the US. China and Ukraine followed with 26% and 12%, respectively, and Japan leapt up 14 places to fifth on the list.
Share