One of the latest cyber attack incidents that is making headlines across the world is the ‘Mayhem’ Botnet Malware that targets Web servers that haven’t been patched for recent vulnerabilities found in the Bash Linux shell. (http://www.computerworld.in/news/linux-botnet-mayhem-spreads-through-shellshock-exploits)
Lucas Zaichkowsky, Enterprise Defense Architect at AccessData provides enterprises with insight into Mayhem and recommendations on how they can protect themselves.
Why should enterprises be worried about the Mayhem botnet malware being adjusted to take advantage of Shellshock?
Externally facing servers vulnerable to the Shellshock exploit kit will become infected with Mayhem, providing the attacker with several functions they can use to steal sensitive information such as passwords, users’ personal information, and credit card data. Additionally, infected servers can then be used to scan internal systems, enabling the attacker to quickly move laterally, dropping other backdoors that will ensure they have persistent access and steal from internal systems. In a targeted attack scenario, attackers will move quickly to steal privileged user accounts and progress through the internal network. For example, they might use Shellshock to compromise a web server that isn’t considered sensitive, but they will use that as the source of their initial hacking activity, already behind perimeter defenses.
What steps can organizations take to ensure their Linux machines aren’t affected by the attack?
Companies should immediately set up network intrusion detection systems to detect attacks and enable logging that would allow them to record exploitation. That will allow them to know if they’ve been attacked. After that, they should scan everything exposed to the internet for this vulnerability, then apply mitigating controls or patches. After that, they should waste no time scanning internal systems for vulnerable software. It’s trivial for attackers to gain entry to an internal system at which point vulnerable internal systems could be exploited.
Do you think malware writers are more likely to adjust existing attacks to take advantage of Shellshock or to write entirely new pieces of malware?
We’ll see existing hacking tools, Trojans, and botnets like Mayhem exploiting Shellshock. There will also be point and click hacking tools written for this exploit that attackers will use in targeted attacks. Once exploited, they’ll drop customized hacking and remote admin tools, similar to a burglar carrying a backpack of equipment through an unlocked window.