Shellshock – Picking up the Pieces

Dave Larson
By | October 02, 2014

Posted in: Network Security Trends

4.1 million. That’s the number of news items, blogs, webpages, reports, and opinion articles related to the recently discovered ‘Shellshock’ (Bash) vulnerability that were matched via a quick Google search for ‘Shellshock bash bug’ this morning. There’s no denying that this vulnerability is one of the largest we have ever seen rock the Internet and the response has been overwhelming.

The reaction from experts, wanna-be experts, reporters, analysts, and the security community alike has been coupled with a lot of confusion, resulting in a viral miscommunication around the shellshock vulnerability itself and how it is related to DDoS attacks. It appears that the root of confusion originates from a misguided understanding of the purpose or motivations for exploiting this vulnerability in servers.

Yes, the Shellshock is an effective way to gain access to a vulnerable server, there is no question about that.  However, this activity should not be conflated with a DDoS attack.  The intent of most DDoS attacks is to bring down network resources and servers to cause downtime to the business being targeted.  Hence, the effects of a DDoS attack are quite apparent.  On the contrary, using the Shellshock exploit against a server is a clandestine activity related to information theft rather than downtime and there are far more lucrative options available to the attackers once the server has been compromised.

For instance, a compromised server can be a vehicle for stealing intellectual property, initiating unauthorized financial transactions, and conducting cyber espionage. Sure, Botnets can exploit the Shellshock vulnerability to ‘recruit’ unpatched servers and pull them into their army of DDoS soldiers, but the attackers have more rewarding opportunities available to them by exploiting this vulnerability than just using its power to launch DDoS attacks.

Another legitimate concern with respect to DDoS is that attackers may utilize mid-level volumetric DDoS attacks against a target site for the purpose of negating existing security defenses. This is accomplished by overwhelming existing security defenses and distracting security personnel while leaving just enough bandwidth available in order to infiltrate an organization via a Shellshock exploit that has become lost in the chaos of reacting to the DDoS attack. In fact, as firewall and IPS vendors release patches and signatures designed to address Shellshock, DDoS becomes an attractive tool for enabling Shellshock to evade these defenses because these products are generally susceptible to being DDoS’ed themselves. When these traditional security devices become overwhelmed, they fail closed to allow traffic to continue. In this case, security intelligence becomes critical for potential victims of such a sophisticated and increasingly common ‘bait and switch’ attack. If your security perimeter is unable to keep up with the onslaught of attack traffic, or unable to capture sufficiently detailed event information about all of the vectors utilized in a sophisticated attack, your organization could be easily compromised without any evidence of the event occurring.

Sophisticated, hybrid exploits that utilize the Shellshock vulnerability are yet another testament to the fact that attack visibility, comprehensive threat intelligence and security analytics are essential components of any effective security solution.  Organizations should be seeking out proper defense tools that also provide the necessary visibility into all such cyber threat activity so that they are not only proactive in preventing DDoS attacks, but also aware of under-the-radar threats like Shellshock that may be surreptitiously riding the DDoS wave.

You May Also Be Interested In: