Attackers moved quickly to exploit the 'Bash Bug,' or Shellshock, security researchers said, but the industry moved quicker, issuing patches after the vulnerability was revealed this week.
While security experts are calling Shellshock worse than Heartbleed, industry response was swifter. In a Thursday interview with SCMagazine.com, Stephen Coty, chief security evangelist at Alert Logic, marveled at how quickly a patch was released, as did Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit. Within hours of the unveiling of the vulnerability, Linux providers and security firms, like Akamai, had issued patches.
“We learned a lot of lessons from Heartbleed,” Coty said in an interview with SCMagazine.com. “We are acting much faster to ShellShock than to earlier variants that have come out.”
Still, despite the quick patching, attackers have already exploited the vulnerability and will continue to have a rich playing field among users who don't update their systems.
So far, the attacks are varied. Some include call-and-response type tests, simply to determine whether a device is vulnerable. Others include targeted attacks on specific software, and even more appear to harness the bug to create botnets that could eventually deploy a distributed denial-of-service (DDoS) attack.
Roel Schouwenberg, principal security researcher at Kaspersky Lab, said in an interview with SCMagazine.com that his team has primarily spotted unspecified attacks, those in which cybercriminals appear to be testing out commands to determine how devices could be exploited.
Web servers, for instance, are serving as an easy first foray into exploiting the bug, Schouwenberg said. Although nothing concrete is coming of these tests, attackers are primarily issuing commands that don't have any effect, Schouwenberg and other researchers don't see it staying that way for long.
He and other researchers have noted the first targeted attacks.
In one case, researchers at AlienVault found a botnet network that could have up to 700 devices under its control. However, the surprising part wasn't that this many machines could be amassed. Rather, it was the type of machines that were being infected, according to Jaime Blasco, labs director at AlienVault.
“We detected that it was an IP phone,” Blasco said in an interview with SCMagazine.com. “We did a quick test to determine that those IP phones were vulnerable, and it wasn't that obvious. They [the attackers] must have built special software with the information they have been gathering" since the bug was discovered.
Until recently, hackers didn't know what servers, software and devices were vulnerable, Blasco said. But now, and going forward, the cybercriminals are getting savvier about what devices they can target, and in response, they're customizing their attacks.
As a first defense against Shellshock, IT security specialists should not delay in patching their systems and devices. And, those entities whose infrastructure is too large to address the Bash bug in a couple dedicated sessions, should create and follow patching schedules, said Coty.
The attacks will get worse, most likely, Schouwenberg warned, but at least information is getting out about the vulnerability and how to address it. There is always a caveat, of course.
“Once you publish information, it helps people defend themselves, but it also helps attackers get smarter,” Schouwenberg said. “I don't know where we can find a point of not helping attackers, but also helping ourselves.”