Light Dark
September 27, 2016 By Michelle Alvarez 5 min read
Software Vulnerabilities
Advanced Threats
X-Force

Ready for me to go old school? How about SQL Slammer-level old school? More than 13 years after it was first found scurrying around the internet, the SQL Slammer worm can still be found propagating in the wild, albeit minimally, according to IBM Managed Security Services (MSS) data.

But why does such an old threat keep making the rounds more than a decade after its discovery? Some older threats never die because they’re easy to exploit. There’s always the chance that a vulnerable system can be compromised by tested and true bugs.

Shellshock Surge

While SQL Slammer is a dated threat that only affected Microsoft SQL server 2000, we have much more serious and widespread threats following in its footsteps.

Last Saturday marked the two-year anniversary of one of the most infamous bugs of 2014, Shellshock. A recent surge in attacks observed by IBM Managed Security Services suggested the threat is still prevalent.

From Zero Day to Present Day

A 20-year-old vulnerability (CVE-2014-6271) in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems, sparked the mobilization of attacks known as Shellshock beginning in late September 2014. This first vulnerability gave way to the disclosure of several additional vulnerabilities affecting the UNIX Shell within a short period (CVE-2014-7186 and CVE-2014-7187), at which point many realized that this was a threat to be reckoned with.

Right at the onset, we observed a significant increase in focused attacks leveraging these vulnerabilities — over 2,000 security events within 24 hours of the Shellshock bug disclosure. To get an idea of the magnitude of this activity, there were just over 7,500 Shellshock security events for the entire month of August 2016, according to IBM MSS data.

When a zero-day vulnerability surfaces, especially a high-profile one that can affect many systems, the corresponding exploit is usually disclosed promptly. With Shellshock, an exploit targeting the first vulnerability was publicly disclosed a mere 28 hours after the zero-day vulnerability emerged.

As news of this vulnerability and its ease of exploitation spread, the number of attackers opting to leverage and exploit it increased tremendously. Attacks came in waves from different source IPs and originating countries, rising in quantity every hour.

Shocking Numbers

As though in anticipation of its anniversary, Shellshock attack activity recently surged to levels not seen since 2015. As of Sept. 22, the month of September accounted for more than 26 percent of the total activity recorded in 2016.

A little over 70 percent of the attack traffic originated in the U.S., whereas another 18 percent comes from Australia. Top targets of these attacks, according to IBM MSS data, include organizations located in U.S. (26 percent), Japan (18 percent), India (16 percent) and Brazil (11 percent).

Retrospective Perspective

Before Shellshock had us scrambling to patch our systems in 2014, we were running for the hills because of another vulnerability. Heartbleed, which affected OpenSSL, a popular open-source protocol, was all over the news.

Heartbleed enabled attackers to remotely exploit a vulnerability to read system memory contents without needing to log on and authenticate a valid identity to a remote server. Successful exploitation could allow attackers to retrieve private keys, passwords or other sensitive information from servers they were not authorized to access.

Although a formidable threat when it first surfaced — IBM MSS data revealed over 1.8 million Heartbleed-based attacks by the end of the first month — Heartbleed failed to exhibit the same staying power as its system-crippling cousin, Shellshock.

As shown in the figure above, in the past year, Heartbleed activity indeed paled in comparison to Shellshock, failing to reach even 15 percent of the total number of Shellshock attacks. Even as Shellshock attacks nosedived in November 2015 and continued to wane as we entered 2016, it still managed to maintain its stamina, averaging nearly 7,900 attacks per month throughout 2016.

Who Is Still Riding the Shellshock Wave?

Per IBM MSS data, as of mid-September, the U.S. is the leading country from which Shellshock attacks originate, making up 71 percent of the total in 2016. Approximately 1,800 unique source IPs based in the U.S. were responsible for these attacks. China is in a distant second, making up 8 percent of the Shellshock attacks, followed by Australia and Italy at 6 percent and 3 percent, respectively.

Who Is Still Suffering From Shellshock?

The U.S. is also the leading country in terms of organizations targeted by Shellshock, making up 46 percent of the total in 2016. Although Japan was at the top when the threat first materialized, it ranks second in 2016, making up 24 percent of the total on a global scale.

In terms of industries most targeted, the information and communication sector, including telecommunications companies as well as those that provide computer programming and consulting services, topped the list in 2016. They sustained over 46 percent of the Shellshock attacks. This makes sense since many major organizations in this space run Linux-based systems in their IT infrastructure and environments.

Financial services ranked second at 26 percent, followed closely by manufacturing in third at 16 percent. The finance sector began adopting Linux-based platforms over a decade ago, with early adopters including the Chicago Mercantile Exchange in 2004 and the New York Stock Exchange in 2007. The pervasiveness of the operating system in this sector makes it an attractive target.

UNIX systems, which employ the Bash shell, are also perhaps more prevalent in manufacturing versus other industries. ICS and SCADA hardware might also have a basic UNIX-like firmware running on the device that can’t be easily updated due to special constraints. That could lead to outdated vulnerable services such as SSH, OpenSSL and Apache running on critical devices.

Additionally, the large discrepancy in Shellshock activity observed in information and communications, financial services and manufacturing versus other industries may point to differences in patching practices among those verticals.

Read the X-Force Research Paper to learn more about older attacks and the dangers they present

Make It Go Away

We wish we could wave a magic wand and make threats like Shellshock go away. But it’s not so simple, unfortunately. Like stains, some cyberthreats are persistently visible, and Shellshock seems bent on sticking around.

So how do you address this issue? Apply the appropriate update for your system. Failure to apply patches and fixes leaves your organization at risk of Shellshock attacks. Timely patch management is vital in organizations of any size. However, depending on the complexity of your environment, this is easier said than done.

Security intelligence and data analytics tools allow your organization to identify the greatest vulnerabilities and prioritize patching, keeping your systems patched and up to date. Virtual patch technology can provide an additional layer of protection. While vendor patches are a first line of defense, protocol analysis, which is incorporated in IBM Security Network Intrusion Prevention product offerings, can provide an additional layer to protect against these types of attacks. In fact, IBM has been helping to protect customers from Shellshock and similar attacks since 2007.

Let’s hope this upward trend is fleeting, and next year there won’t be any reason to publish an anniversary blog.

To learn more about other older attacks that are still successful, check out the IBM X-Force research paper, “Beware of Older Cyber Attacks.”

 |  |  |  |  | 
Michelle Alvarez
Manager, X-Force Strategic Threat Analysis, IBM

More from Software Vulnerabilities
September 26, 2024

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

June 6, 2024

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature