It's been one week since researchers discovered a vulnerability in the Bash Unix shell, exposing millions of devices to remote-code attacks by exploiting the same common chunk of code. By now, patches have been issued and most of the major systems have been secured. The bug even got its own Heartbleed-esque moniker: Shellshock. But there's still a lot that isn't clear about the bug, and what went on in the brief window in which attackers could exploit the public vulnerability on unpatched systems. Given a dangerously large window of opportunity, how much damage did Shellshock do?
The web-optimization company CloudFlare has been tracking exploits closely, and as of last night, the company says it had blocked roughly 1.1 million Shellshock attacks. More than 80% of the attacks were reconnaissance attacks designed to compile a list of vulnerable machines. Since servers using Cloudflare were protected, the chain stopped there, but it's reasonable to assume that unprotected networks were exposed to much more extensive attacks once the reconnaissance was successful. Strangely, the vast majority came from French IP addresses, although it's difficult to say whether the attackers were located there or the traffic was simply being routed through.
CloudFlare analysis of network attacks
"We have not seen [an attack]... that would make the average Macbook user hackable."
OS X also uses the Bash shell, leading to concerns that Apple hardware might be attacked en masse — but a week later, those fears have not panned out. When Shellshock emerged, Apple said that "the vast majority of OS are not at risk," and so far the research has confirmed that claim. "We have not seen proof of any attack at this time that would make the average MacBook user readily hackable," says FireEye research scientist James Bennett. "Although Bash was vulnerable, the public was not aware of any way OS X exposed Bash to attacker-supplied input with its pre-installed software." Of course, someone might still discover a vulnerability that would provide an easy way in, but with the patch already published, it's unlikely to do much damage. In the wild, the vast majority of attacks have been against web-facing servers, which were vulnerable to easily executed HTTP-based attacks. Macs didn't offer any obvious points of weakness, which seems to have convinced most attackers to focus on the servers.
The most damage came from unexpected lines of attack, like a novel attack discovered by FireEye that used Shellshock to sidestep traditional computers entirely. Instead, the attackers targeted Network Attached Storage devices (NAS), essentially a large, networked hard drive. Since the NAS devices used Bash to communicate across the network, attackers were able to access any data on the device, and append their own SSH key to the "authorized_keys" file, building in a backdoor that could be exploited later. It's an unexpected line of attack but as networks become larger and more varied, growing to include more embedded devices, it's an attack many experts expect we'll see over and over again.
The most alarming aspect is that, for successful attacks, it's hard to say how far the damage reached. For every ten reconnaissance attacks stopped by CloudFlare, there's at least one that got through, and researchers are still piecing out the net effect of all those harvested credentials and compromised systems. We may have stopped the vulnerability within a week, but the damage will likely be playing out for months or even years to come.