Shellshock Bug Back And Stronger Than Ever

IBM Managed Security Services identifies poor server patching as the reason for the bug’s survival

The Shellshock security flaw simply won’t go away, with a recent surge in attacks using the exploit identified by IBM Managed Security Services.

Despite being discovered two years ago, Big Blue’s cyber security division has data that suggests the threat of Shellshock is still prevalent, with 7,500 Shellshock security events recorded for August alone.

IBM’s data noted that there has been a 26 percent rise in Shellshock activity this year than in 2015, with attacks being targeted at US companies

These companies predominately included firms in the information and communications sectors, such as telecoms companies and those that provide computer programming and consulting services. IBM said that was to be expected as many of the major organisations in the sector run Linux-based systems in their IT infrastructure and environments, which exposed them to the Shellshock flaw.

Shellshock lives

Software BugIBM highlighted that according to its data, Shellshock has had a far larger impact than the Heartbleed bug identified in the OpenSSL cryptography library back in April 2014.

“Although a formidable threat when it first surfaced — IBM MSS data revealed over 1.8 million Heartbleed-based attacks by the end of the first month — Heartbleed failed to exhibit the same staying power as its system-crippling cousin, Shellshock,” said Michelle Alvarez, threat researcher at IBM Managed Security Services.

The persistence of Shellshock, according to Alvarez, is down to companies not applying rigorous patching programmes to squash the bug, which leaves them vulnerable to the exploit and hackers seeking a backdoor into a targeted company’s data.

“Like stains, some cyber threats are persistently visible, and Shellshock seems bent on sticking around,” said Alvarez.

“So how do you address this issue? Apply the appropriate update for your system. Failure to apply patches and fixes leaves your organisation at risk of Shellshock attacks. Timely patch management is vital in organisations of any size. However, depending on the complexity of your environment, this is easier said than done.”

Other companies like Ikea, stand as good examples to follow when it comes to addressing major bugs, as the Swedish furniture giant methodically upgraded all of its servers to patch against Shellshock.

Are you an expert on cyber security? Take our quiz to find out!