The latest epic attack that has everyone’s attention is Shellshock (Bash Bug). In this blog, we’ll provide Click’s take on the vulnerability – as well as what we have done to augment Click Commander’s ability to detect it with Real-time Security Analytics.
Yesterday’s US-CERT announcement identified “shellshock” vulnerabilities involving OpenSSH sshd, mod_cgi, and mod_cgid modules in the Apache HTTP Server, and dhcpd. Shellshock allows attackers to run deep-level shell commands on a vulnerable machine. From there, attacks including denial-of-service that enable subsequent login credential guessing can be easily performed. To learn more about the vulnerability, see CVE-2014-6271.
Has the vulnerability actually been exploited? Absolutely. Attempts have been made across the internet where attackers crafted custom web requests and sent those to Internet-facing web servers to either verify a vulnerability, or exploit the target immediately.
How did Click get on the scent? The first clue surfaced by Click Commander was a Rare Event analytic alert – which notified our analyst that a Data Mining Unit (DMU) indicator of compromise had fired – and one that had never fired before. A small example perhaps, but an example nonetheless, of how our system works to surface “disturbances in the force” that usually go unnoticed. Even more interesting, before the Rare Event analytic fired, a BroNotice event indicating an HTTP Header Anomaly fired. The header’s values fell out of range of our “baseline” of HTTP headers. At this point, we had two analytics fingering the same “needle in the haystack”.
With a little Click Labs research, we learned that while Shellshock can use multiple attack vectors, attacking through the HTTP protocol is the most common, like this:
- Locate a web server running mod_cgi or mod_cgid modules that utilize CGI scripts – which invoke Bash
- Set the Bash vulnerability to execute the setting of environment variables
- Issue commands immediately following the setting of an environmental variable.
The commands of choice are, of course, limited to those available on the affected web server. So far, commands including Internet connectivity checks, file reading / writing, and issuing separate web commands (new HTTP requests) have been observed.
With this knowledge, Click Labs quickly developed a new analytic that focuses on HTTP protocol anomalies – one that surfaces even more indicators of compromise presented by commonly used event sources.
Heartbleed was a good one. ShellShock is even better. Is this the last one? You know the answer. But, this is another example of how Click Commander provides a rapid analytics deployment solution that not only adapts to new attack vectors (or more accurately a very old one but newly exposed) – and can be tied to other analytics such that dangerous actors can be exposed quickly with far less chance of a false.
Perhaps best of all, though, is how Click Commander made it incredibly easy for an analyst to take publicly presented indicators and search our data cache for relevant activity. It was super fast to determine if we’ve ever seen these indicators before. A big value for analysts who are usually too swamped to achieve this level of analysis and action at all – let alone fast!