Hackers are exploiting the Bash vulnerability, codenamed Shellshock, to mount a variety attacks across the world, according to researchers at FireEye and Trend Micro. To make matters worse, the initial patch fix has proved ineffective.
FireEye threat researchers Michael Lin, James Bennett and David Bianco reported a wave of Shellshock attacks in a blog post, claiming that the flaw is being exploited by criminals for a variety of purposes.
“We have observed a significant amount of overtly malicious traffic leveraging Bash, including malware droppers, reverse shells and backdoors, data exfiltration and distributed denial of service (DDoS),” read the post.
“So far, attackers have deployed scanners looking for vulnerable machines that have been bombarding networks with traffic since midday Wednesday. Through threat intelligence collected from FireEye’s Dynamic Threat Intelligence (DTI) centre, we are seeing frenzied activity all over the world.”
Shellshock is a critical vulnerability in the Bash code used in nearly all Unix or Unix-like systems, including Mac OS X, discovered earlier in September.
The researchers highlighted an advanced campaign emanating from Russia as being particularly troubling and proof the original Shellshock patch fix is ineffective.
“Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise,” read the post.
“The initial patch for this vulnerability (CVE-2014-6271), which was released in sync with the vulnerability’s public disclosure, was quickly found to be inadequate. It’s worth noting that the incomplete patch did not introduce new vectors, but was inadequate to close the hole created by the original bug.”
Security firm Trend Micro found an equally serious campaign leveraging Shellshock to mount attacks on an unnamed Chinese financial institution. The engineers said the attack seems to have a similar exploratory goal to those seen by FireEye.
“Trend Micro Deep Discovery was able to detect this attempt and found that attackers were trying to see if several IPs owned by the institution were vulnerable to a Shellshock vulnerability, specifically CVE-2014-06271,” read the report.
“At first glance, retrieving system information might seem harmless. But as we mentioned before, the information-gathering could possibly be a sign of preparation for more damaging routines. This one command could be a gateway for bigger, more damaging attacks.”
The Shellshock flaw is believed to be one of the most dangerous vulnerabilities ever discovered. Telecoms technology giant Cisco confirmed 31 individual products are vulnerable to Shellshock and that it is actively investigating a further 23 products in a public threat advisory.