web analytics

Why Shellshock Remains a Cybersecurity Threat After 9 Years – Source: www.darkreading.com

why-shellshock-remains-a-cybersecurity-threat-after-9-years-–-source:-wwwdarkreading.com
Rate this post

Source: www.darkreading.com – Author: Jeremy Ventura, Director, Security Strategy, Field CISO, @ThreatX

The Shellshock vulnerability got a lot of attention when it was first disclosed in 2014 — both from the media and security teams. While that attention has waned in subsequent years, the Shellshock vulnerability has not disappeared — nor has attacker attention weakened.

Rather, this vulnerability remains a popular target, particularly in financial services applications. In fact, earlier this year, ThreatX identified attackers attempting to exploit a Shellshock vulnerability in approximately one-third of our customers. These numbers are concerning when considering the severity and age of this vulnerability. How could a vulnerability disclosed nine years ago still be so prevalent in attacks? And why do so many credit unions fall victim?

What Is Shellshock and Why Does It Still Exist?

Shellshock, also known as the Bash bug or CVE-2014-6271, is a vulnerability that researchers discovered in September 2014 in the Unix Bash shell. Deemed a critical vulnerability due to the escalated privileges it provides attackers if exploited, Shellshock existed on billions of devices around the world and caused widespread panic and countless patches in 2014. The panic has subsided, but the vulnerability hasn’t exactly gone away. It still exists in the wild and remains popular because it is relatively simple to launch and deploy and requires little skill or cost from an attacker.

So why does it still exist nearly 10 years later? Three words: bad patch management. Failure to apply patches in a timely manner can leave organizations vulnerable to attacks that exploit known vulnerabilities. The Shellshock vulnerability is a prime example of the consequences of not applying patches promptly. Many organizations are slow to apply the necessary updates, leaving their systems open to attack.

One reason organizations are struggling with patch management is because the process can be complex and time-consuming, especially in large or distributed environments. There may also be concerns about the potential impact of applying patches, such as downtime or compatibility issues with other software. Additionally, some organizations may not have the necessary resources or expertise to effectively manage patching across their entire infrastructure.

How are attackers using Shellshock? Often, they are using it to launch distributed denial of service (DDoS) attacks and to target vulnerable systems that are interconnected. These attacks are usually deployed using bots and botnets. Additionally, attackers historically have targeted the flaw on some network storage devices to dump all the data they’re storing or even target cryptocurrency.

Why Are Credit Unions a Primary Target for Attackers?

While attackers aren’t attacking only credit unions with this vulnerability, ThreatX has seen a higher proportion of these types of attacks against our credit union customers than our other customers. For 33% of our credit union customers, Shellshock was a top-4 attack type targeting them in a four-week period in 2023.

Credit unions are prime targets not just for Shellshock but for cyberattacks in general. They make attractive targets primarily because they hold a significant amount of sensitive financial information, including personal data. Second, credit unions have historically lacked the security resources of larger financial and banking institutions with huge budgets and security teams. They are often seen as a softer or easier target due to the lack of defenses or personnel, and attackers may assume they are behind in patching.

Third-party supply chain risks can be higher with these organizations as well. Credit unions often rely on third-party vendors for access to online banking, mobile banking, and payment processing. Not all vendors are applying the same or “just as good as” security controls that leave everyone vulnerable and at risk.

How Can You Prepare Your Systems Against Shellshock?

To properly defend and protect your systems from potential attacks, organizations need to keep systems patched and protect against bots.

Optimize Patch Processes

Establish a robust patch management policy and process, including regular vulnerability scanning and prioritizing critical patches. Also, ensure that all systems and software are properly configured to receive and apply patches automatically, where and when possible. Training and education for staff on patch management best practices and the importance of timely patching is also critically important. Finally, organizations should regularly review and update their patch management strategy to ensure it remains effective in the face of evolving threats and technologies.

Shore Up Bot Defense

Most attacks against application programming interfaces (APIs) and applications, including those related to Shellshock, now leverage bots or botnets. The challenge with mitigating bot traffic is that not all bots are malicious (think search engine spiders). Coarse-grained bot mitigation efforts can disrupt or degrade legitimate user experience. It’s long been known that the use of CAPTCHA to identify humans vs. bots leads to a suboptimal customer experience. Advanced bots may also use headless browsers or impersonate legitimate users, which can easily defeat user-agent based detection and fool web application firewalls and web applications into thinking the attacking bots are, in fact, a normal human user.

Real-time behavioral profiling and threat engagement techniques are critical to effective bot mitigation. Behavioral profiling looks at large volumes of contextual data, monitoring every request live from every user to characterize their behavior and map their intent. By seeing more transactions, the system can recognize a broader pattern much faster and automatically craft a complex behavioral signature to block the attack in real time. In addition to behavioral profiling, advanced threat engagement techniques, such as IP fingerprinting, interrogation, and tarpitting, help shed light on the “user’s” intent.

Take a Proactive Approach

While the Shellshock vulnerability may still be active for many years to come, the best way to protect yourself and organizations is to implement proper patch management into security plans and ensure that your bot defenses are optimized. Cybercriminals are getting smarter, and the next Shellshock may be on its way. But if you take a proactive approach to your security, you won’t be scrambling to implement quick fixes.

Original Post URL: https://www.darkreading.com/attacks-breaches/why-shellshock-remains-cybersecurity-threat-after-9-years

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Joas Antonio
ChatGPT for Cybersecurity by Joas Antonio dos Santos – malwareanalysis #reverseengineering
ChatGPT for Cybersecurity by Joas...
CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN...
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture
DevSecOps Guide
ATTACKING PHP APPLICATIONS
ATTACKING PHP APPLICATIONS
DevSecOps Guide
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
ATTACKING KUBERNETES WITH SECURITY BEST...
CLTC WHITE PAPER SERIES
Guidance for the Development of AI Risk and Impact Assessments
Guidance for the Development of...
Active Directory
Active Directory IT AuditChecklist
Active Directory IT AuditChecklist
A guide to business continuity planning
A guide to business continuity...
LOG RHYTHM
Using MITRE ATT&CK™ in Threat Huntingand Detection
Using MITRE ATT&CK™ in Threat...
Kaspersky
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
H2 2023 – A brief...
Andrey Prozorov
24 Great Cybersecurity Frameworks
24 Great Cybersecurity Frameworks
ENISA-EUROPA
SEGURIDAD DE TELECOMUNICACIONES
SEGURIDAD DE TELECOMUNICACIONES

More Latest Published Posts

SF-ISAC
Digital Operational Resilience Act
Digital Operational Resilience Act
SYNGRESS
DIGITAL FORENSICS WITH Open Source TOOLS
DIGITAL FORENSICS WITH Open Source TOOLS
IT REVOLUTION DEVOPS ENTERPRISE FORUM
DevOps Automated Governance Reference Architecture
DevOps Automated Governance Reference Architecture
SANS GIAC CERTIFICATIONS
Detecting Attacks on Web Applications from Log Files
Detecting Attacks on Web Applications from Log Files
EUROPEAN DATA PROTECTION SUPERVISOR
ANNUAL REPORT 2023
ANNUAL REPORT 2023
TechTarget
IT Disaster Recovery Plan Template
IT Disaster Recovery Plan Template
Opstune
IOC Scan Framework v2.0
IOC Scan Framework v2.0
Federal Office for Information Security
Indirect Prompt Injections
Indirect Prompt Injections
the Department of the Environment Climate and Communications
Guidelines on CyberSecurity Specifications
Guidelines on CyberSecurity Specifications
Edelman
INCIDENT RESPONSE REFERENCE GUIDE
INCIDENT RESPONSE REFERENCE GUIDE
Security METRICS
Security Metrics Guide to PCI DSS Compliance
Security Metrics Guide to PCI DSS Compliance
SOC TIPS Cybersecurity
Guia de Resposta a Incidentes de Segurança para LGPD
Guia de Resposta a Incidentes de Segurança para LGPD
CDCP
FIREWALL Audit CHECKLIST
FIREWALL Audit CHECKLIST
GitGuardian
Secrets Management Maturity Model
Secrets Management Maturity Model
MegaCorp One
Sample Penetration Test Report
Sample Penetration Test Report
FORTINET
Routing in FortiGate
Routing in FortiGate
FUTURE OF PRIVACY FORUM
Risk Framework Body Related Data (PD) Immersive Tech
Risk Framework Body Related Data (PD) Immersive Tech
ENISA
Remote ID Proofing Good Practices
Remote ID Proofing Good Practices
Google
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Red Canary
Threat Detection Report 2024
Threat Detection Report 2024
HADESS
Pwning the Domain Persistence
Pwning the Domain Persistence
Australian Goverment
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
CISC (Comité Internacional Sobre Ciberseguridad)
Política Nacional de Ciberseguridad 2023-2028
Política Nacional de Ciberseguridad 2023-2028
Google
Perspectiveson Securityfor the Board
Perspectiveson Securityfor the Board
HADESS
OSINT Method for Map Investigations
OSINT Method for Map Investigations
CCN-CERT
Observatorio Riesgos Ciberseguridad 2024
Observatorio Riesgos Ciberseguridad 2024
CYBERTHEORY
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
FORTINET
Bloking Malware Through Antivirus Security Profile in FortiGate
Bloking Malware Through Antivirus Security Profile in FortiGate