Bash and Shellshock Exploit
Short video showing how to detect if you are vulnerable to Shellshock and how Unified Security Management (USM) can help.
Hey Aliens. Garett here, joining you from the studio; just got done cutting the latest Spinal Tap record. Listen, I know there’s a lot of questions, maybe even some confusion, surrounding the whole Shellshock Bash exploit, so I thought I’d reach out and help. Uh, what is Bash? Well, Bash is the most command line utility found in the major of Linux, Unix and Mac OS distributions. In fact, if you take a look at the terminal windows above my head, those are using Bash. What’s the exploit? Well, the exploit, much like a sequel injection or a cross-site scripting attack, allows an attacker to run, uh, malicious code in line with the calls made to the Bash shell. So, are you vulnerable? Well, if you have any externally-facing Linux, Unix or Mac OS servers, quite possibly. Uh, do you have web applications that are making calls to the Bash shell? Probably. So, make sure you get patched. Now, if you take a look above, there’s actually a really simple test you can do. You see this, uh, Gigros 1 deviant box. I’m going to run this test. It’s going to echo back that Bash is vulnerable because you can see that it’s passing this, uh, this echo right after the definition variable. Now, if I run this on a box that has been patched, Bash is vulnerable is not echoed letting us know that this box is not going to be susceptible to the Shellshock Bash Exploit.
Alright. Uh, let’s have a look at how the Shellshock Bash Exploit presents itself within USL. Real quick though, I want to talk about what makes Alien Vault so special. Um, anyone can stand up a series of security tools, uh, intrusion detection, intrusion prevention, a SIM, a firewall, but for anyone who’s ever had to set up and configure those, that’s not really the hard part. The hard part is making sense of all this incoming data. Well, we do that for you. Um, while the world was kind of, you know, freaking out about the whole exploit, our labs team was hard at work building these correlation directives to help you spot this type of exploit within the tool itself.
So, what I’m going to do is log in to the Alien Vault USM. We’re gonna go take a look at our alarms page and we can see there’s, there’s no alarms there, uh, but it’s listing here by the kill chain taxonomies: system compromise, exploitation insulation, delivering attack, reconnaissance and probing, probing or just some environmental awareness. Now, what I’m gonna do is I’ve got this really great packet capture from our labs team that basically simulates the Shellshock Exploit and I’m going to run that against Terracotta which is our network IBS. Ok, so we’ve given it some time to collect. Let’s have a look at our alarms page. Sure enough we have some activity. Uh, you can see a series of alarms that have been fired off here. We have an exploitation and installation service exploit, related to the Shellshock vulnerability. And we have a reconnaissance and probing service exploit related directly to the Shellshock vulnerability. We can pull it apart here and see the attack pattern, on this one external to external, one to one. Then finally we have our activities classified at our suspicious behavior, Trojan connected to a low reputation C-C server. So, what it looks like is that we’ve been scanned for the vulnerability, found out that we had it, it’s been exploited and now they’ve used that, uh, vulnerability to install a Trojan that is now communicating to a command and control server.
Now, what’s cool about this is if you can see this IP address, it’s got this bull’s eye next to it. What that tells you is that this IP address has a reputation in our open threat exchange. By clicking on that, it brings us to this threat details which tells us blacklist, domains that it’s associated with, uh, is it actively malicious or not, when’s the last time we saw it, what’s the, the type of threat this is. Scroll down a little bit, we get a little bit more information about the threat itself, mainly it’s rate of occurrence. So it really gives you a global perspective, and, you know, let’s you know if any non-bad hackers are out there attacking you.
So, again, the security community is still trying to figure out the breadth of this vulnerability, but hopefully, watching this, uh, demo, shows you how easy it is to detect activity, uh, that we’re doing the heavy lifting for you by writing this correlation directives and, you know, giving you more time back in your day to actually do your job.
Uh, as always, thank you for your time and if there’s anything else that we can help you out with, don’t hesitate to reach out: [email protected].