John Graham-Cumming, lead programmer at CloudFlare, and CrowdStrike President Shawn Henry explain how hackers are exploiting the Shellshock security flaw
Hackers are bombarding computers to test whether they’re vulnerable to the Shellshock security hole that had lain dormant for two decades until last week, sparking a race by companies to protect their data.
Researchers who set up bait computers to monitor attacks said hackers almost immediately began planting malicious software that would allow them to create networks of infected computers. Network security company CloudFlare Inc. said it’s tracked about 1.5m attempts and test probes each day.
“They’re doing a first round of reconnaissance and we’re waiting to see if they come back later and do a round of targeted attacks,” said Jason Trost, director of research for ThreatStream, a computer security company also monitoring the activity. “I would guess it will be within a week or two.”
Software makers like Red Hat Inc. are implementing patches for a piece of software called Bash, one of the most widely installed programs on Linux systems and the main technology affected by Shellshock. Companies including AppleInc. have incorporated the open-source program into their products, meaning a hole could leave millions of computers and devices vulnerable in an instant.
“There are probably a bunch of services and devices” at risk, said Jaime Blasco, the director of AlienVault Labs, who also helped arrange a project to bait hackers with so-called honeypots. “In the next few days and weeks we’ll see more as people start finding out which other devices and software are vulnerable.”
Read more: Shellshock bug: everything you need to know