Beginning on Oct. 10, 2016, IBM X-Force detected a notable increase in Shellshock activity lasting four days. Given its prevalence over the last two years, we didn’t think we had seen the last of Shellshock. We are a little surprised, however, by its latest uptick in activity.

This spike saw nearly the same volume of Shellshock attacks as the one we observed prior to the malware’s two-year anniversary last month. The attacks in this latest wave, however, were sourced from only four U.S.-based IP addresses, whereas the previous spike in Shellshock activity originated from hundreds of unique IP addresses.

Just as quickly as they appeared, the attacks evaporated as of Oct. 14, 2016.

More Shellshock Attacks

As with September’s attacks, this more recent wave was designed to perform reconnaissance against distributed targets to find machines vulnerable to Shellshock. Targets were not concentrated in any specific geography — this was a global campaign spanning multiple industries.

The campaign — currently rated 10, indicating the highest level of risk — used the following four IP addresses:

The attack’s payload contained the following information:

:header_value=() { :;}; echo; echo “”39319c2bd3231f5c4a15e142faef5bf2″”

Unlike the September attacks, which used the Session Initiation Protocol (SIP) to determine exploitability, the October attacks used a unique identifier that looks suspiciously like an MD5 checksum, but it is not. Each individual attack thread is assigned a unique string that identifies the target as vulnerable to the Shellshock exploit. Exploitation is possible when the attacker sees the unique identifier echoed back into the attack tool.

For more information about the October wave of Shellshock attacks, see the IBM X-Force Exchange collection.

Patching the Broken Record

This may sound like a broken record by now, but if you have not patched your systems against this threat, we strongly advise doing so as soon as practical. The IBM X-Force Exchange vulnerability report contains an extensive list of references. This should provide you with the information you need to obtain the appropriate patches. Protocol analysis can provide another layer of security against these attacks.

Because the aforementioned IPs are registered to what appears to be a cloud provider, I’d be remiss if I didn’t point out the potential risks associated with cloud services. Companies must consider the risks of misuse of employee credentials, hijacked accounts and insecure interfaces or application program interfaces (API) when deciding whether to adopt a cloud solution. Security should be at the heart of any organization’s cloud strategy and design.

More from Threat Intelligence

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…