Security Experts:

'Shellshock' Attacks Could Already Top 1 Billion: Report

Ever since the existence of the GNU Bash flaw (Shellshock) came to light last week, threat actors have been searching for vulnerable machines that they can exploit for various purposes, Incapsula said on Monday.

The Shellshock vulnerability is dangerous because it can be exploited to remotely execute code on affected machines, which could lead to malware injections, data theft and server hijacking. Because the shell is widely used, millions of users are at risk.

In the four days since the vulnerability was disclosed, Incapsula's Web application firewall deflected more than 217,000 exploit attempts on over 4,100 domains. However, the company estimates that the total number of Shellshock attacks could be as high as 1 billion.

Close to 900 IP addresses from almost every country in the world have been used in the attacks documented by Incapsula. Many of the exploit attempts have been traced back to the United States and China. In the first 24 hours, these two countries accounted for over half of the attacks.

Scanners designed to verify the existence of the vulnerability accounted for a total of 68% of the Shellshock attacks detected by Incapsula. Interestingly, only 6% of them were automated tools; the rest were targeted probing attempts that were likely to lead to an attack.

Roughly 18% of the attacks observed by the company involved shells. In these operations, the attackers attempted to gain remote access and hijack servers. Some threat groups also leveraged the Shellshock vulnerability to plant DDoS malware. These types of attacks accounted for 16% of the hits recorded by Incapsula.

In a small number of attacks (0.7%), cybercriminals attempted to hijack servers with IRC bots. Others have tried to exploit the Bash vulnerability for reflected DDoS attacks. According to Incapsula, the average attack rate has nearly doubled over the past days, reaching close to 2,000 attacks per hour.

Akamai also published a report on ShellShock attacks. As of Sept. 20, the company observed a total of 22,487 unique attacking IP addresses, 156 of which are HTTP proxies. Only 20 of the IP addresses were using IPv6.

According to Akamai, 67% of the attacks originated in the United States, but some have also been traced back to Germany (7%), the United Kingdom (6%), and the Netherlands (4%). 

While the attacks have targeted all industry segments, online gaming was the most targeted with close to 300,000 hits, followed by consumer electronics (33,000), online email marketing (32,000), travel (27,000) and online advertisement (19,500). On September 24, Akamai observed only 43 unique attack payloads, but the number had increased to over 10,000 on the following day. A total of 29% of the payloads were part of legitimate probing attempts, but over half of them represented illegitimate probing.

Many security firms have already updated their solutions to ensure that customers are protected against Shellshock attacks. In the meantime, companies whose products use the GNU Bash shell have started releasing updates to fix the bug.

Apple noted that most OS X users are not vulnerable, unless they have configured advanced UNIX services. The company released an update on Monday to ensure all its customers are protected.

Oracle and Cisco, both of which have numerous products that rely on the shell, have also started rolling out security updates.

The initial vulnerability, CVE-2014-6271, was patched quickly. However, the fix turned out to be incomplete so a new CVE was assigned, CVE-2014-7169. Later, Red Hat Product Security researcher Florian Weimer identified additional issues that were assigned CVE-2014-7186 and CVE-2014-7187. Patches have been made available for these flaws as well.

Related Reading: What We Know About Shellshock So Far, and Why the Bash Bug Matters

*Updated with data from Akamai

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.