Shellshock is the new virus that is threatening to attack millions of vulnerable computers running on Linux, Unix and OS X servers. The virus was found in a software program called Bash, which is universally used by Internet-connected devices, like home routers, IP cameras, tablets and Android devices. Bash has been around for decades and is used primarily in servers and other hardware. Shellshock threatens to attack 20 to 50 percent of the world’s global servers supporting webpages.
The CVSS (Common Vulnerability Scoring System) has given Shellshock a 10/10 rating for its severity and low complexity rating – meaning, the virus is very easy to exploit.
Cloudfare has reported seeing 10 to 15 attacks per second, mainly coming from France. Most hackers are using a reconnaissance attack that involves sending a command to a third-party machine. The third-party machine analyzes the data and collects a list of vulnerable machines that have come in contact. Once the hacker has verification of a vulnerable server, they can prepare to exploit the site.
Unlike Heartbleed, where hackers were able to view personal information, Shellshock has the ability to have complete control over your device. Hackers can send malicious software and steal sensitive information such as confidential reports and financial data.
News of the virus has sent the cyber world into a frenzy. Security researchers are actively monitoring servers - running script, creating mock attacks and rolling out software updates to help fight against the attack of exposed servers.
Apple has released software to fix the Bash bug and issued a statement in late September stating they don’t believe most of its users are affected, as OS X systems are safe by default and not exposed to remote exploits of Bash.
All anyone can do is watch for security updates, be cautious of emails requesting information or instructing to run new software and actively monitor servers to prevent the risk of infection.
Sherpa has close to 20 years of experience developing and creating secure websites for our clients. Against all pressure to fall in line with companies jumping onto the open-source bandwagon, at Sherpa we strictly run websites and applications built on a custom-built content management system (CMS) in the Microsoft stack. The security offered by a custom-built CMS proves itself time and time again.
- Arrie Sturdivant