October 21, 2016 By Michelle Alvarez 2 min read

Beginning on Oct. 10, 2016, IBM X-Force detected a notable increase in Shellshock activity lasting four days. Given its prevalence over the last two years, we didn’t think we had seen the last of Shellshock. We are a little surprised, however, by its latest uptick in activity.

This spike saw nearly the same volume of Shellshock attacks as the one we observed prior to the malware’s two-year anniversary last month. The attacks in this latest wave, however, were sourced from only four U.S.-based IP addresses, whereas the previous spike in Shellshock activity originated from hundreds of unique IP addresses.

Just as quickly as they appeared, the attacks evaporated as of Oct. 14, 2016.

More Shellshock Attacks

As with September’s attacks, this more recent wave was designed to perform reconnaissance against distributed targets to find machines vulnerable to Shellshock. Targets were not concentrated in any specific geography — this was a global campaign spanning multiple industries.

The campaign — currently rated 10, indicating the highest level of risk — used the following four IP addresses:

The attack’s payload contained the following information:

:header_value=() { :;}; echo; echo “”39319c2bd3231f5c4a15e142faef5bf2″”

Unlike the September attacks, which used the Session Initiation Protocol (SIP) to determine exploitability, the October attacks used a unique identifier that looks suspiciously like an MD5 checksum, but it is not. Each individual attack thread is assigned a unique string that identifies the target as vulnerable to the Shellshock exploit. Exploitation is possible when the attacker sees the unique identifier echoed back into the attack tool.

For more information about the October wave of Shellshock attacks, see the IBM X-Force Exchange collection.

Patching the Broken Record

This may sound like a broken record by now, but if you have not patched your systems against this threat, we strongly advise doing so as soon as practical. The IBM X-Force Exchange vulnerability report contains an extensive list of references. This should provide you with the information you need to obtain the appropriate patches. Protocol analysis can provide another layer of security against these attacks.

Because the aforementioned IPs are registered to what appears to be a cloud provider, I’d be remiss if I didn’t point out the potential risks associated with cloud services. Companies must consider the risks of misuse of employee credentials, hijacked accounts and insecure interfaces or application program interfaces (API) when deciding whether to adopt a cloud solution. Security should be at the heart of any organization’s cloud strategy and design.

More from Threat Intelligence

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today