Catch Attackers Attempting to Shellshock You

Catch Attackers Attempting to Shellshock You

By:
Oliver Tavakoli, CTO, Vectra Networks
September 29, 2014

The recent discovery of Shellshock, the bash shell bug, has something in common with the discovery of Heartbleed earlier this year. Both vulnerabilities existed for many years before they were discovered – over two years for Heartbleed and over 22 years for Shellshock. Both affect a very large number of computer and communications systems. Both have induced a gut-wrenching panic.

There will always be two periods during which you are vulnerable to such exploits. The first is the period before the vulnerability is reported and may have been exploited by a few attackers. The second is the span of time between when the vulnerability is publicly reported and before you patch the affected systems. During this second period, every attacker imaginable will attempt to exploit the vulnerability. Predicting when new vulnerabilities will appear and what ways creative attackers will come up with to exploit them is generally a losing battle. That doesn’t mean there is nothing you can do to catch them.

To detect attackers who have exploited vulnerabilities either before the vulnerability is discovered or before you patch your systems, our products watch for the telltale signs after an exploit – any security exploit – succeeds. While the exploit may be new, the goals of attackers don’t really change as the result of a new vulnerability becoming known. The attackers' goals may be opportunistic where the vulnerability provides an opportunity for him to dramatically expand the footprint of a botnet by infecting your computers with malware and to effectively double or triple his botnet's income. Or, the attackers' goals may be targeted where the vulnerability provides a great opportunity to gain an initial foothold into your organization, which may have otherwise been difficult to penetrate. Regardless of the exploit used, the attackers goals remain much as they did before the new vulnerability was discovered.

Consider that Shellshock may specifically be exploited via a Web CGI vector or an internal DHCP vector. When the exploit occurs via Web CGI, it will typically be against an Internet-facing Web server and a Linux server is the most likely host to be infected.The infected host may be used by the opportunistic attacker to perform one or more of the following functions:

  • Act as relay for a fast flux command & control network
  • Act as a relay for monetization (e.g., click fraud, SEO, SMO)
  • Send spam
  • Mine cyber currency (e.g., Bitcoin, Dogecoin)
  • Participate in a DDoS attack
  • Act as a pivot point for internal and possibly targeted attacks

Even though the opportunistic attacker isn’t stealing from you, the attack creates noise that makes it harder to find an attacker who actually is targeting you. A lesson from Fazio Mechanical and Target is that seemingly opportunistic attackers who install keyloggers can use the credentials they steal to target your business partners, or worse, attack you.

When the attack occurs via the internal DHCP vector, the infected host may be used to perform many of the functions listed above as well as the following functions of a targeted attack against your organization:

  • Install a RAT or a more generic metasploit or canvas-based frameworks
  • Spread internally to other hosts in the networks
  • Perform slow (darknet) and fast (port scan) reconnaissance and spread laterally (automated replication) if the host is used to advance a targeted attack
  • Steal credentials through brute-force attacks and utilize them in ways which show up as Kerberos anomalies

New vulnerabilities will continue to be reported and attackers will actively exploit them to attack you prior to your systems being patched. However, new vulnerabilities don't need to induce a gut-wrenching moment of fear or panic. To effectively protect your organizations, focus on the goals an attacker wants to achieve and always assume there is some vulnerability out there that the attacker can exploit to begin the cyber attack. Our platforms put you in a position to see the progression of the attack as this is independentof the currently-in-vogue exploit-of-the-day. Regardless of how the attacker gets in, we can enable you to see what they are doing.

Watch a 2-minute demo

{{cta('4e1a6c6c-24f9-413b-8280-d6227d4a58a0')}}