Ready for me to go old school? How about SQL Slammer-level old school? More than 13 years after it was first found scurrying around the internet, the SQL Slammer worm can still be found propagating in the wild, albeit minimally, according to IBM Managed Security Services (MSS) data.

But why does such an old threat keep making the rounds more than a decade after its discovery? Some older threats never die because they’re easy to exploit. There’s always the chance that a vulnerable system can be compromised by tested and true bugs.

Shellshock Surge

While SQL Slammer is a dated threat that only affected Microsoft SQL server 2000, we have much more serious and widespread threats following in its footsteps.

Last Saturday marked the two-year anniversary of one of the most infamous bugs of 2014, Shellshock. A recent surge in attacks observed by IBM Managed Security Services suggested the threat is still prevalent.

From Zero Day to Present Day

A 20-year-old vulnerability (CVE-2014-6271) in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems, sparked the mobilization of attacks known as Shellshock beginning in late September 2014. This first vulnerability gave way to the disclosure of several additional vulnerabilities affecting the UNIX Shell within a short period (CVE-2014-7186 and CVE-2014-7187), at which point many realized that this was a threat to be reckoned with.

Right at the onset, we observed a significant increase in focused attacks leveraging these vulnerabilities — over 2,000 security events within 24 hours of the Shellshock bug disclosure. To get an idea of the magnitude of this activity, there were just over 7,500 Shellshock security events for the entire month of August 2016, according to IBM MSS data.

When a zero-day vulnerability surfaces, especially a high-profile one that can affect many systems, the corresponding exploit is usually disclosed promptly. With Shellshock, an exploit targeting the first vulnerability was publicly disclosed a mere 28 hours after the zero-day vulnerability emerged.

As news of this vulnerability and its ease of exploitation spread, the number of attackers opting to leverage and exploit it increased tremendously. Attacks came in waves from different source IPs and originating countries, rising in quantity every hour.

Shocking Numbers

As though in anticipation of its anniversary, Shellshock attack activity recently surged to levels not seen since 2015. As of Sept. 22, the month of September accounted for more than 26 percent of the total activity recorded in 2016.

A little over 70 percent of the attack traffic originated in the U.S., whereas another 18 percent comes from Australia. Top targets of these attacks, according to IBM MSS data, include organizations located in U.S. (26 percent), Japan (18 percent), India (16 percent) and Brazil (11 percent).

Retrospective Perspective

Before Shellshock had us scrambling to patch our systems in 2014, we were running for the hills because of another vulnerability. Heartbleed, which affected OpenSSL, a popular open-source protocol, was all over the news.

Heartbleed enabled attackers to remotely exploit a vulnerability to read system memory contents without needing to log on and authenticate a valid identity to a remote server. Successful exploitation could allow attackers to retrieve private keys, passwords or other sensitive information from servers they were not authorized to access.

Although a formidable threat when it first surfaced — IBM MSS data revealed over 1.8 million Heartbleed-based attacks by the end of the first month — Heartbleed failed to exhibit the same staying power as its system-crippling cousin, Shellshock.

As shown in the figure above, in the past year, Heartbleed activity indeed paled in comparison to Shellshock, failing to reach even 15 percent of the total number of Shellshock attacks. Even as Shellshock attacks nosedived in November 2015 and continued to wane as we entered 2016, it still managed to maintain its stamina, averaging nearly 7,900 attacks per month throughout 2016.

Who Is Still Riding the Shellshock Wave?

Per IBM MSS data, as of mid-September, the U.S. is the leading country from which Shellshock attacks originate, making up 71 percent of the total in 2016. Approximately 1,800 unique source IPs based in the U.S. were responsible for these attacks. China is in a distant second, making up 8 percent of the Shellshock attacks, followed by Australia and Italy at 6 percent and 3 percent, respectively.

Who Is Still Suffering From Shellshock?

The U.S. is also the leading country in terms of organizations targeted by Shellshock, making up 46 percent of the total in 2016. Although Japan was at the top when the threat first materialized, it ranks second in 2016, making up 24 percent of the total on a global scale.

In terms of industries most targeted, the information and communication sector, including telecommunications companies as well as those that provide computer programming and consulting services, topped the list in 2016. They sustained over 46 percent of the Shellshock attacks. This makes sense since many major organizations in this space run Linux-based systems in their IT infrastructure and environments.

Financial services ranked second at 26 percent, followed closely by manufacturing in third at 16 percent. The finance sector began adopting Linux-based platforms over a decade ago, with early adopters including the Chicago Mercantile Exchange in 2004 and the New York Stock Exchange in 2007. The pervasiveness of the operating system in this sector makes it an attractive target.

UNIX systems, which employ the Bash shell, are also perhaps more prevalent in manufacturing versus other industries. ICS and SCADA hardware might also have a basic UNIX-like firmware running on the device that can’t be easily updated due to special constraints. That could lead to outdated vulnerable services such as SSH, OpenSSL and Apache running on critical devices.

Additionally, the large discrepancy in Shellshock activity observed in information and communications, financial services and manufacturing versus other industries may point to differences in patching practices among those verticals.

Read the X-Force Research Paper to learn more about older attacks and the dangers they present

Make It Go Away

We wish we could wave a magic wand and make threats like Shellshock go away. But it’s not so simple, unfortunately. Like stains, some cyberthreats are persistently visible, and Shellshock seems bent on sticking around.

So how do you address this issue? Apply the appropriate update for your system. Failure to apply patches and fixes leaves your organization at risk of Shellshock attacks. Timely patch management is vital in organizations of any size. However, depending on the complexity of your environment, this is easier said than done.

Security intelligence and data analytics tools allow your organization to identify the greatest vulnerabilities and prioritize patching, keeping your systems patched and up to date. Virtual patch technology can provide an additional layer of protection. While vendor patches are a first line of defense, protocol analysis, which is incorporated in IBM Security Network Intrusion Prevention product offerings, can provide an additional layer to protect against these types of attacks. In fact, IBM has been helping to protect customers from Shellshock and similar attacks since 2007.

Let’s hope this upward trend is fleeting, and next year there won’t be any reason to publish an anniversary blog.

To learn more about other older attacks that are still successful, check out the IBM X-Force research paper, “Beware of Older Cyber Attacks.”

More from Software Vulnerabilities

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…