Attackers scan for Shellshock Bash targets

Within hours of the Shellshock Bash vulnerability emerging, attackers were actively scanning web servers and launching attacks.
Written by Rob O'Neill, Contributor

A New Zealand-based IT security consultancy said it has detected hundreds of remote scans of websites from attackers trying to detect servers vulnerable to a Shellshock Bash attack.

In addition to the scans, often a precursor to an actual attack, about 10 percent of the activity that Wellington-based Aura Information Security is seeing are actual attempts to exploit the vulnerability, which was discovered in the Linux/Unix Bourne-Again Shell, commonly known as Bash.

Andy Prow

Chief executive Andy Prow said Aura was defending against Shellshock with its shielding service, Redshield, within a couple of hours of the vulnerability emerging.

Over the next 24 hours, scans and attacks began to be detected. By Thursday morning, 40 such attacks had been logged, and by Friday morning, that number reached 190.

"10 percent appeared malicious and destructive, 90 percent was 'giving it a poke'," Prow said. "That's the way it works."

A range of attacks, some aimed at gaining access to information rather than crippling or compromising websites, are emerging globally, as reported by ZDNet. Advice on protection is available here.

Prow described the Shellshock exploit as "quite trivial", not requiring a huge level of sophistication from knowledgeable attackers. Websites using CGI scripting are the most vulnerable, he said.

"The exploitability likelihood is extremely high," he said.

Websites are the easiest systems to attack, but the threat is not limited to them, he said.

For example, systems such as Network Attached Storage are also potentially vulnerable.

Prow expects to see the number of malicious attacks increase as hackers try to compromise machines by running malicious script.

The New Zealand Internet Task Force (NZITF) warned internet users and website owners yesterday to take basic steps to protect themselves. NZITF also provides detailed technical guidance here.

Chair Barry Brailey said criminals are looking for ways to exploit the Bash vulnerability. While vendors are racing to develop patches and fixes, customers need to be vigilant and check for updates frequently.

In addition to applying patches, NZITF recommends users be extra vigilant of malware and scams.

"If there is an increase in the number of websites being compromised, these could be used to launch malware or scams," it said. "Make sure that you keep your paranoid filter on high for the next little while."

Businesses and website owners should also consider shutting down vulnerable non-critical systems until they can be patched, and monitor their firewall and access logs for indications of attack.

Editorial standards