Solutionary performed a broad analysis of the threat landscape, which unearthed several key findings. They identified several campaigns targeting the bash vulnerability during the latest quarter – more than 600,000 events from 138 countries.
The identified campaigns include Hidden C, China Z, Lucky Socks and the QNAP worm, designed typically to set up larger botnets under the control of the attacker and establish backdoors to systems to allow access to contents or further compromise.
Among other highlights, Solutionary analysis found that the United States and China were the leading sources of command and control traffic, with 21 and 20 percent of the share. Additional research found that 48 percent of the top 25 hostile non-U.S. IP addresses are “Bruteforce” repeat offenders.
“The high volume of reconnaissance activity indicates a precursor of what’s to come,” said Rob Kraus, director of security research and strategy, Solutionary. “Cybercriminals are preying on existing vulnerabilities, including Shellshock, to plan future attacks. Despite the flurry of data breaches and targeted attacks, enterprises are failing to practice good security hygiene to mitigate and prevent similar attacks.”
Shellshock still alive and well
Shellshock was targeted more at education (38 percent) than at technology (17 percent), healthcare (six percent), finance (five percent) and manufacturing (five percent) combined. Overall, 600,000 events of Shellshock activity were discovered in 138 countries, originating from more than 25,000 IPs and 2,027 different service providers.
U.S. edges out China for share of command and control traffic
The U.S. and China led all countries in malicious command and control traffic, with 21 percent and 20 percent respectively.
Bruteforce activity dominating the field
From the top 25 hostile non-U.S. repeat IP addresses, “Bruteforcers” accounted for 48 percent of all malevolent activity. Solutionary saw a relatively large amount of SSH brute force attempts that targeted SSH usernames and passwords, often on systems that did not have “maximums” set. Successful brute forcing in this case could allow assailants to copy files, create directories, download content from remote sites and more.
The largest single source of malware threats, representing almost 46 percent of all malware, originated from the U.S. China and Ukraine followed with 26 percent and 12 percent, respectively, and Japan leapt up 14 places to fifth on the list.
New non-U.S. attacks, China still on top
Of the top 25 hostile non-U.S. repeat IP addresses, China accounted for 32 percent of total foreign attacks, followed by Germany (12 percent) and Hungary, France and Ukraine with eight percent, each.