Who came up with the notion that less is more? In terms of data protection, I’m pretty sure that more is more. Sometimes, having more results in a positive outcome (such as more canned foods during a food drive) and sometimes, having more results in a negative outcome (such as more rain in a flood zone).

When it comes to data, more is a good thing, and analysts such as myself become giddier when there are massive amounts of data to play with. With all this data to analyze, my colleagues and I shared some of our thoughts in a research and intelligence paper titled “Shellshock.”

The majority of the attacks source from the well-known search engine Shodan.io probing and cataloging vulnerable systems. This data is often used by attackers to identify vulnerable systems. Who can blame them for wanting to narrow their attack surface? Outside of this activity, we investigated several interesting vectors used to target this vulnerability, including email reconnaissance, perlbot password-grab attempt, perl reverse shell and mayhem malware installer.

During the beginning stages of an incident, security groups spend most of their energy putting out fires and working quickly to research, respond and mitigate the threat. There is no time for us to “ooh” and “aah” at wondrous charts or bask in the beauty of a glorious trend line. When all is said and done (well, sort of — the threat never really goes away), we take a deeper look at the data.

The First 76 Hours

In looking at data protection, we now expect high-profile threats to be exploited almost immediately after the public release of an exploit; Shellshock was no exception. Still, I reserve the right to be surprised by the speed at which attackers jumped all over the vulnerability in GNU Bash.

Within one hour of the public release of an exploit targeting this issue, we observed a significant uptick in activity associated with this threat. This initial spike on Sept. 25 was caused by over 800 events. A much larger spike in activity was witnessed on Sept. 27, with more than 1,200 events reported.

Attacks came in waves from different source IPs and originating countries. Almost as soon as one attack was mitigated by the Internet service provider, another one quickly took its place. Many of the attacks originated from a single Autonomous Systems Number or even a single IP, which is not uncommon in widespread attacks such as this. The clear leader in attacks is the United States, with more than 15,000 recorded attacks (ooh, ahh).

Data Protection in the Face of Rising Attacks

You’ll have to view the paper to “ooh” and “ahh” at the other graphs, but I would like to point out that other notable discoveries include Iceland making our top 10 attacking countries list for the first time. Additionally, while Japan ranked low in the list of attacking countries, it sustained the highest number of attacks from the most countries. The finance and information technology industries experienced spikes in activity throughout the time period analyzed, whereas the targeted activity against the other top industries remained relatively flat.

The Shellshock threat is a good example of a growing trend we’re observing on the attacker front called “attacks that snub malware,” which is often referred to in the industry as “malware-less” attacks. This simply means attackers don’t want to risk malware detection, so they instead exploit existing application functionalities.

This is why it is important for organizations to take a holistic approach to securing their networks. Make sure to monitor your distribution sites and apply updates as they become available for this vulnerability. Many vendors that offer intrusion prevention or intrusion detection systems also now have specific coverage to address this threat and provide assistance with an organization’s data-protection efforts.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read