The Shellshock vulnerability was about 25 years old when it was publicly announced. Has there been any evidence of it being exploited in the wild before its "official" public announcement?
Asked
Active
Viewed 166 times
2 Answers
2
In summary, no, there are no official reports of shellshock being used prior to its disclosure. Although, that certainly doesn't confirm the negative.
Whether intelligence agencies or others knew of its existence remains unclear and is unlikely to be confirmed. But Ty Miller, of Sydney firm Threat Intelligence, noted reports that the US government allegedly knew about the Heartbleed vulnerability for many years before it was discovered.
"I would be amazed if governments haven't known about and exploited systems with Shell Shock for years," he said.
From Heartbleed
Can I detect if someone has exploited this against me?
Exploitation of this bug does not leave any trace of anything abnormal happening to the logs.
Has this been abused in the wild?
We don't know. Security community should deploy TLS/DTLS honeypots that entrap attackers and to alert about exploitation attempts.
So, as far as I know, there is no evidence of the state using heartbleed before it's disclosure, even though it is widely known that they knew of its existence.
However, that the state may or may not have known about the vulnerability is where the comparison ends. Shellshock does leave a log-trace However, once owned, logs are trivial to wipe.
Within an hour of the announcement of the Bash vulnerability, there were reports of machines being compromised by the bug. By 25 September 2014, botnets based on computers compromised with exploits based on the bug were being used by attackers for distributed denial-of-service (DDoS) attacks and vulnerability scanning
Obviously exploits were created after the release of CVE-2014-6271 (Shellshock), but is impossible to tell how much administrator-awareness contributed to shellshock's blame for their compromise. If I was malicious, and had a tool like shellshock in my hands, that is not something I would be using frivolously. It's not the kind of vulnerability that a malicious actor wants noticed. I would certainly wipe the logs. But if knowledge is already out there, and scripts and vulnerability scanners are widely available, covering tracks becomes less important...or maybe someone hasn't given them a script to do that.
But, Stephane Chazelas should have the last word: How did you find shellshock?
In any case, I didn't find the bug by observing exploits, I have no reason to believe it's been exploited before being disclosed (though of course I can't rule it out). I did not find it by looking at bash's code either.
flerb
- 450
- 2
- 14
0
There are no official reports of it being used in the wild. As the exploit was available for 25 years, it's very probably that nation-state actors were aware of this vulnerability. However, since it would be nation-state actors that used the exploit, they wouldn't leave much evidence behind.
-
I agree that we haven't come across any evidence / reports of its use in public. But "nation states wouldn't leave much evidence behind"? They do have a lot of resources, no doubt. As digital forensics improved, I'm sure they had to update their opsec; but did they have such opsec all the time? I'd say no. Even today, I'm sure they try not to leave evidence behind, but do they succeed all the time? I don't think so (yes, it's just an opinion - so probably not a good basis for debate) :) – Sas3 Aug 06 '17 at 05:11