MSSPs Tracking Shellshock Attacks, FireEye Uncover NAS Systems Assault

Attackers are probing for network-attached storage systems that may be vulnerable to the Bash vulnerability, according to security vendor FireEye, which said on Wednesday it observed attacks against NAS users in the U.S., Japan and Korea.

FireEye warns organizations to identify vulnerable NAS systems and implement measures to detect and block attempts to exploit them. If the Shellshock attacks are successful, attackers gain complete control of the system and can view, modify and steal the data, according to James Bennett, a FireEye threat researcher.

So far the attacks have been against NAS systems on open networks at universities and research institutions, but Bennett warned businesses will also face a high degree of probing for weaknesses.

[Related: Shellshocked: Cisco, Juniper Among Vendors To Issue Emergency Security Updates]

"Based on the sheer number of devices which run an embedded Linux OS and the time-to-patch window, we feel the potential for wide-scale compromise of network-connected personal and business data storage systems is very high at this time," Bennett wrote in his analysis of the threat. "As many smart- or connected-devices utilize similar set-ups, this represents one of the first in the wild Shellshock attack against IoT-type devices."

The FireEye analysis of the attacks targeting the NAS systems also included a key threat indicator that system administrators can use to determine if an attack against a vulnerable NAS system was successful in coppying the SSH key, giving criminals future access to the system. NAS storage devices from QNAP, Synology and other manufacturers are impacted by the vulnerability.

Security vendors have issued signatures to identify and block active scans and exploits targeting Linux, Unix and Mac OS X systems that remain vulnerable to the widespread Shellshock Bash vulnerability. Solution providers tell CRN that some of the protection is causing a high number of false positives, resulting in organizations using alternative measures, including manual workarounds to block systems from attacks.

The security flaws associated with Shellshock impact a wide variety of systems and servers, routers, switches, VPN appliances, gateways, firewalls and other networking gear. Security vendors have made patches available, but some firms, including Cisco Systems, Juniper Networks, Oracle, Fortinet and Sophos are still actively developing and testing patches that adequately address all the identified vulnerabilities.

VMware issued a critical security update Tuesday night beginning with its vCenter Log Insight and Wednesday for its ESX hypervisor and vCenter Server Appliance.

Dell SecureWorks said this week it blocked as many as 140,000 Bash attacks and scans against systems between Sept. 24 and Sept. 29.

Solutionary has also identified attacks with the vast majority of threats being detected by appliances that support Snort signatures, the open-source intrusion detection and prevention system that is at the core of Cisco Sourcefire appliances. Signatures are available to detect attacks from nearly every security and networking vendor, including HP-Tippingpoint, IBM, Fortinet, Juniper Networks, Palo Alto Networks and other IDS/IPS appliances and next-generation firewalls.

Solution providers update networking gear filters and implement established rules to detect and block specific issues, said Brad Taylor, president and CEO of Irvine, Calif.-based managed security service provider, Proficio, which is also detecting and blocking attacks for its clients.

"If we are not managing a client's IDS or next-generation firewalls, we always recommend that our customers let us update their correlation rules to allow us to take emergency action when these types of activities are detected," Taylor said.

Security vendor Zscaler observed an attack shortly after the Bash vulnerability was reported last week and identified malware that was able to collect system information and perform denial of service attacks. Attackers can also open up a backdoor connection to perform just about any kind of attack once the Bash vulnerability is successfully exploited, according to Zscaler.

Much of the attack traffic is looped through the TOR anonymous proxy servers as well as compromised systems making the true origin of attacks difficult to discern, according to security vendor Trustwave, which contributes and uses data from Project Honeypot service to document threats.

PUBLISHED OCT. 1, 2014