Getting past the Shellshocker Cyber Threat with Privileged Identity Management

By Yair Sade

At this point, you’ve probably heard of the newest cyber threat to hit the Internet – the Shellshock bug. Said to be a more serious vulnerability than Heartbleed, Shellshock has been lurking in the massively popular software package Bash, a command line interpreter, or shell, that provides a powerful, flexible way to run commands on a computer. A highly stealthy vulnerability, Shellshock has gone undetected in Bash for more than two decades, counting as yet another advanced persistent threat factor!

How serious is this? Bash is a standard, free, tool for all UNIX-based operating systems and Apple’s OS X. One of the largest industries to rely on UNIX-based systems is the energy sector, who’s SCADA and industrial control systems are largely built on this technology.  Additionally, it is widely used on simple Internet connected devices, meaning that not only can servers be compromised but also home routers, IP cameras … think in terms of the Internet of Things.

What does Shellshock do? In a nutshell, it allows attackers to execute code remotely, leaving organizations susceptible to unauthorized processes or commands on target machines. This type of ‘open door’ is the ideal entry point for a classic advanced persistent threat.

What can you do to defend against such a zero-day? A zero-day is limited to one piece of technology, or any machine that runs the affected technology. From there, the attacker needs to find other ways to jump beyond the reach of the zero-day.  Focus on privileged account security, so any attack is limited in scope and damage by cutting off an attacker’s ability to move laterally from an affected machine to others in the network.

From a privileged account security perspective, here’s what we recommend:

1. Harden UNIX servers: Since Shellshock targets UNIX machines, organizations should harden their servers. This can be done by implementing a ‘least privilege’ strategy and preventing unlimited root shell accesses. CyberArk On-Demand Privileges Manager enables companies to remove unnecessary root privileges, while tightly controlling or restricting shell capabilities when needed. This means that only authorized commands can be run, rather than those injected by an attack, such as through Shellshock.

2. Monitor privileged account behavior: Exploited zero-day vulnerabilities most often lead to privileged credential theft as a way to move beyond the vulnerable machine. To identify this lateral movement, organizations should monitor account behavior for irregular behavior of privileged accounts. CyberArk Privileged Threat Analytics provides targeted, immediately actionable threat alerts by identifying previously undetectable malicious privileged user and account activity.

If you are concerned about your UNIX environment and the impact Shellshock might have on your organizations, we can help you.