The advisory alerts enterprises to a DDoS botnet-building operation by attackers taking advantage of the Shellshock Bash bug in Linux-based, Mac OS X and Cygwin systems. Failure to take action can result in a vulnerable system being used to propagate a DDoS botnet, launch DDoS attacks, exfiltrate confidential data and run programs on behalf of attackers.
“PLXsert has observed the DDoS botnet-building operation of an attacker using Shellshock to gain access to and control Linux-based systems.” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “We are sharing this information to help enterprises patch their systems to prevent unauthorised access and use by this botnet. Akamai customers have multiple options to minimise the risk of a breach and to mitigate DDoS attacks enabled by this vulnerability.”
Attackers breach vulnerable systems
Malicious actors are using the Bash bug vulnerability, which is reportedly present in GNU Bash versions 1.03 through 4.3, to download and execute payloads on victim machines. These payloads include executable files and script files written in programming languages such as Perl, Python or PHP. The dropped files are capable of launching DDoS attacks, stealing sensitive information and moving laterally across internal networks to breach other systems. In addition, malicious attackers have implemented backdoor functionality to gain unrestricted access to victim machines in the future.
DDoS botnet uses Internet Relay Chat IRC for communication
PLXsert recorded an actual IRC conversation of a botnet-building operation that uses the Shellshock vulnerability to add new bots to a botnet. The observed botnet involved 695 bots. IRC channels #p and #x were used to issue commands, and new bots were requested to join channel #new.
Web applications at high risk
Web applications that use the Common Gateway Interface (CGI) method to serve dynamic content are at risk for the Bash bug. It is important to check internal and external web servers for this type of application and others that may potentially pass input to Bash. The Shellshock vulnerability has also been exploited in OpenSSH (OpenBSD Secure Shell), a set of computer programs that provides encrypted communication sessions. In this case the vulnerability is exploited after authentication, which lowers the risk of exploitation but should still be considered high risk.
Enterprises need to patch (and re-patch) vulnerable hosts
Enterprises must update and patch vulnerable hosts as soon as possible. Some of the earlier patches were insufficient. It is important to obtain and apply the latest patch from the operating system developer. Fully patched, remote exploitation attempts of this type will be unsuccessful.
PLXsert anticipates further infestation and the expansion of this DDoS botnet.
Get the Shellshock DDoS Botnet Threat Advisory to learn more
In the Bash bug advisory, PLXsert shares its analysis and details, including:
- Vulnerable Bash versions
- DDoS building capabilities of binary payloads
- Types of DDoS attacks
- IRC conversation from within the DDoS botnet
- How to mitigate this vulnerability
- DDoS mitigation