Banks and businesses toiled over the weekend to crush a bug in a widely used open source operating system.
The flaw has been in Unix for some 25 years, but it was revealed just last week. If exploited by an attacker, the vulnerability in BASH (Bourne-Again SHell) could be used to inject malicious code or take command of a system or device.
“This BASH vulnerability is going to prove to be a much bigger headache than Heartbleed was,” Mark Parker, a senior product manager at iSheriff, told the E-Commerce Times.
Heartbleed, a recently discovered defect in another open source program, OpenSSL, sent shock waves through the Net.
The BASH vulnerability, dubbed “Shellshock,” requires patching not only systems running Apple’s OS X, Linux and Unix, but also thousands of devices running those OSes and connected to the Internet, Parker explained.
Those devices include DVRs, home automation systems, automotive entertainment systems, mobile phones, home routers, manufacturing systems and printers.
“Most of these devices will be susceptible, because most Linux-based devices run BASH,” said Parker. “It is such an integral part of the Linux OS.”
Banks Urged to Act
With news of Shellshock spreading across the Net, federal regulators began warning the financial community to tighten up its security to avoid being victimized by the bug.
Shellshock “could expose organizations and individuals to potential fraud, financial loss, or access to confidential information,” states a Federal Financial Institutions Examinations Council alert.
Financial institutions should conduct a risk assessment and take steps to address the Shellshock vulnerability, the FFIEC advised, including identifying vulnerable internal systems and services, following appropriate patch management practices, and ensuring that third-party vendors take appropriate risk mitigation steps, as well as monitoring the status of those vendors’ efforts.
Meanwhile, businesses, especially large businesses, appear to be addressing the problem.
Close to 60 percent of Fortune 1000 and Global 2000 enterprises had deployed or were actively in the process of deploying Shellshock patches as the weekend approached, CloudPassage estimated.
Quick action is important in preventing damage caused by the bug.
“Patching prevents future exploits of the vulnerability, but it does not undo damage already potentially done,” CloudPassage CEO Carson Sweet told the E-Commerce Times.
In addition to installing patches, systems administrators should pay close attention to network logs, recommended Daniel Ingevaldson, CTO of Easy Solutions.
“This exploit is noisy and easily logged,” he told the E-Commerce Times.
Signs of Hacker Attack
Once platform vulnerabilities are made public, it doesn’t take long for Net marauders to start exploiting them.
“Within just hours, there were already multiple instances of malware taking advantage of this weakness,” Sweet said of Shellshock.
At this point in the vulnerability cycle, it appears that Web predators are starting to identify targets.
Aura Information Security spotted almost 200 attacks on systems it was protecting during the first 48 hours of Shellshock being made public. Ninety percent of them were scanning for the vulnerability.
Blue Coat also has seen signs of hackers seeking to exploit Shellshock.
“We are already seeing DDoS botnets trying to utilize this vulnerability in their attacks, and we expect that traffic to only continue to increase,” Waylon Grange, senior malware researcher, told the E-Commerce Times.
AlienVault researchers also spotted scanning and botnet activity connected to Shellshock.
“We found several machines trying to exploit the BASH vulnerability,” said Jaime Blasco, director of AlienVault Labs.
“The majority of them are only probing to check if systems are vulnerable,” he told the E-Commerce Times.
“On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the systems,” Blasco said.
The malware turns the systems into bots that can be used in DDoS attacks.