The Shellshock bug is the newest cyber threat to hit the internet and said to be a more serious vulnerability than Heartbleed. Shellshock has been lurking in the massively popular software package Bash, a command line interpreter, or shell, that provides a powerful, flexible way to run commands on a computer. A highly stealthy vulnerability, Shellshock has gone undetected in Bash for more than two decades.
Bash is a standard, free, tool for all UNIX-based operating systems and Apple’s OS X. One of the largest industries to rely on UNIX-based systems is the energy sector, who’s SCADA and industrial control systems are largely built on this technology. Additionally, it is widely used on simple Internet connected devices, meaning that not only can servers be compromised but also home routers, IP cameras, basically concerning, the Internet of Things.
“Shellshock allows attackers to execute code remotely, leaving organisations susceptible to unauthorised processes or commands on target machines. Zero-day vulnerabilities like this are ideal entry points for a classic advanced persistent threat,” said Dan Dinnar, Vice President for Asia Pacific at CyberArk. “Once an attacker exploits a zero-day to bypass security defences, they look for ways to jump beyond the reach of the zero-day and that is almost always by exploiting privileged accounts. Organisations need to focus on securing and monitoring activity for these accounts to limit the scope and damage of a breach by cutting off an attacker’s ability to move laterally from an affected machine to others in the network. ”
From a privileged account security perspective, CyberArk recommends:
1. Harden UNIX servers: Since Shellshock targets UNIX-based machines, organisations should harden their servers. This can be done by implementing a ‘least privilege’ strategy and preventing unlimited root shell accesses. Organisations need to remove unnecessary root privileges, while tightly controlling or restricting shell capabilities when needed. This means that only authorised commands can be run, rather than those injected by an attack, such as through Shellshock.
2. Monitor privileged account behaviour: Exploited zero-day vulnerabilities most often lead to privileged credential theft as a way to move beyond the vulnerable machine. To identify this lateral movement, organisations should monitor account activity for irregular behaviour of privileged accounts.