A security flaw in software used by as many as 500m machines around the world is already being used by hackers to carry out a range of attacks, warn experts
Hackers are already taking advantage of the ‘Shellshock’ flaw, which security researchers warn could be more serious than the Heartbleed security hole and have a dangerous fallout lasting for several years.
The Zscaler ThreatLabZ research team said this morning that it had spotted attacks using the flaw “within hours of the public disclosure”. Hackers have been gaining access to machines using the hole and using it to install additional malware that then leaves them wide open to abuse.
The researchers gave details of one attack where an Apache web server was tricked into installing malware that gave hackers the ability to open a backdoor connection for remote access, perform Denial of Service attacks or collect sensitive information.
Similar Apache software to that targeted in the attack is estimated to serve around 54.2 per cent of all websites around the world.
“We rate the severity of this vulnerability to be as critical as that of Heartbleed vulnerability discovered earlier this year,” said the company’s Deepen Desai in a blog post.
The name of the attacking software appears to be “Thanks-Rob”, which is believed to be a reference to security researcher Robert Graham.
Graham wrote a blog post on Wednesday where he reported that he had run a scan to see how many systems vulnerable to Shellshock he could find. His trial found 3,000 machines before it crashed, and he later updated the post to say that he had seen evidence of hackers using the same tactic to deliver malware.
“They'll likely have compromised most of the system I've found by tomorrow morning,” he said. A worm delivering malware now appears to be named as a reference to him, although he is nothing to do with any malicious attack personally.
Cloudflare's John Graham-Cumming told The Verge that he too had seen evidence of attacks in the wild: "We've seen attackers trying to grab password files, download malware onto machines, get remote access, and more. There was even one attack that involved opening or closing a server's CD / DVD drive."
The vulnerability has been hiding in plain sight in the Bash command shell since it was first created in 1989. Bash is included in various Linux distributions and Apple’s Mac OS X, which is itself based on Unix. It can be used by the person using the PC to run various commands but is also run invisibly in the background by many software packages.
A problem with the way it accepts variables when loaded by these other programs could allow hackers to run malicious code on a victim's computer.
Experts warn that it is dangerous because it enables attackers to run powerful commands without permission, potentially leaving victims open to ID theft or loss of sensitive data, but also because it is a simple attack to make which does not require a particularly high level of technical knowledge.
Because Bash is widely used in a range of smaller devices, the flaw could also affect various internet-connected hardware like CCTV cameras, thermostats and sensors. Although few computer users run Linux on their home desktops, the operating system is used extensively in servers and other hardware, including the machines which host and run websites. It will even affect some Android smartphones, as the Google operating system is also based on Linux.
No comments:
Post a Comment