Four days after the Shellshock vulnerability was disclosed, Incapsula’s Web application firewall deflected more than 217,000 attempted exploits on more than 4,100 domains. The company recorded upwards of 1,970 attacks per hour, from more than 890 IPs around the world.
Shellshock was expected to be far worse than the Heartbleed flaw, which was expected to impact about 17 percent of the secure Web servers worldwide. That added up to about 500,000 servers.
That’s because Shellshock attacks Bash, which is built into every Unix, Linux and Apple server, as well as embedded devices. Shellshock lets the hacker take over — whereas Heartbleed did not.
Heartbleed just allowed a hacker to spy on computers, not take control of them, Kyle Kennedy, chief technology officer at Stealthbits Technologies, said at the time. Shellshock lets attackers not only control the host, but also access and make changes to everything on it.
Further, while Heartbleed required multiple requests to a server, Shellshock is activated with only one.
All Quiet on the Shellshock Front
“Since the initial exposure of the vulnerability, we have seen activity taper off, but believe that may just be the calm before the storm,” Marc Gaffan, cofounder of Incapsula, told LinuxInsider.
Seventy percent of all exploits targeting Incapsula’s WAFs were scans for DDoS malware, which means “we are seeing criminals scanning for vulnerabilities of Bash systems in preparation for future, potentially massive, attacks,” Gaffan said.
Overall, 94 percent of the nearly 2,000 hourly attacks on Incapsula’s WAFs consisted of some form of attack — scans, DDoS malware seeding, or attempts to hijack servers.
Hell for the Holidays?
The holiday season, which accounts for a large part of retailers’ sales, is just around the corner, and hackers are ramping up their activity. Staples reportedly has become the latest victim of a breach.
“High-profile attacks such as Shellshock may hit the headlines, but it’s only one of many ways to breach systems,” said Martin Lee, the Cisco Talos team’s technical lead for threat intelligence.
“Attackers have an entire armory of exploits that they can check, one by one, until they find one that allows them to gain access to systems,” he told LinuxInsider.
That means consumers are likely to continue being at risk.
Those who purchase electronics for their home entertainment systems might be in for a nasty surprise. Many home devices — including cable boxes, routers, NAS devices, and Internet-connected devices and services — make use of Linux or Unix running a Bash shell, Chris Stoneff, director of professional services at Lieberman Software, told LinuxInsider.
What Can Shellshock Hurt?
Shellshock is a vulnerability in the Bash Unix shell, which is employed in many Unix-like systems, noted open software expert David Wheeler, including Linux-based platforms such as Red Hat Enterprise Linux, Fedora, CentOS, Debian and Ubuntu; FreeBSD and NetBSD; Mac OS X; and Cygwin, which runs on Windows.
These systems often use shells to process commands, so there are many ways to exploit Shellshock. They include Web applications implemented using CGI, which are written in Bash or invoke Bash subshells; sshd using ForceCommand to limit access to specific actions; and DHCP clients connecting to subverted DHCP servers. Retail systems are also vulnerable.
Bash, by the way, is a Posix shell with extensions, and it works as a command processor that runs in a text window. Users can type in commands, or Bash can read commands from a script.
Debian and Ubuntu are not fully vulnerable, because their default noninteractive shell is Dash (Debian Almquist shell), while their default interactive shell is Bash, and the noninteractive shell (/bin/sh) is affected by Shellshock, Wheeler states.
Android systems use the MirBSD shell, which is not vulnerable to Shellshock, Wheeler said, and Mac OS X uses Bash only in some cases.
The lead developer of Bash, Chet Ramey, came up with a fix that was rolled out by major distributors, but it didn’t work, sparking a worldwide effort to develop one that would.
Protecting a Business Against Shellshock
Waiting for better software or protocols isn’t really an option, said Ulf Mattsson, chief technology officer at Protegrity.
“While new software will inevitably come along, there are limited guarantees that it will be bug-free,” he told LinuxInsider. “The most viable option is proactive security of the data itself.”
Tokenizing or encrypting sensitive data at the point of creation or acquisition renders it useless to potential thieves, even when it’s been stored in memory, Mattsson remarked.
Businesses also should adhere to the time-worn IT security mantra, “patch and patch often.”
“Sticking your head in the sand and hoping that the problem goes away helps no one,” Cisco’s Lee said. “Applying the latest patches to systems fixes vulnerabilities such as Heartbleed and Shellshock.”
If patches are not available or can’t be applied for one reason or another, “organizations can block exploits with a modern [intrusion prevention system],” Lee pointed out.
A Good WAF Keeps Shellshock at Bay
WAFs are one of a few key technologies that can be employed quickly to assist enterprises unable to patch their vulnerable applications or servers quickly, said Mike Spanbauer, vice president of research at NSS Labs.
“A WAF can be deployed and effectively block Shellshock in very short order,” he told LinuxInsider. Next-generation firewalls, Next-generation IPSs, “and a few other technologies [also protect] against Shellshock [but] often take considerably longer to deploy.”
NSS Labs tested six leading WAFs and found they all tested high for security effectiveness, and most performed above their stated capacity.
What Consumers Need to Know and Do
“We observed approximately 50 percent fewer attempts at exploiting Shellshock last week than the week before,” Cisco’s Lee said, “but it’s clear that bad guys will continue to check for the presence of this vulnerability for years to come.”
That being the case, consumers should be on the alert.
“Users need to stay up on their vendors, credit card agencies and more,” Stoneff said, “to ensure that once the problem gets fixed, they … change their passwords.”