Blog

Bashed and Shellshocked: Early Reports of Exploitation in the Wild

Posted: 25th September 2014
By: MATT KODAMA

Lots of IT security teams are at work right now to patch the Shellshock vulnerability (CVE-2014-6271) ASAP – while keeping an eye on their threat intelligence sources for exploitation in the wild. And the reports are coming in…

One of the first reports via GitHub identified the IP 162.253.66.76 as the source of suspicious activity. We took a quick look in our OSINT archive, using Maltego, to make an initial assessment. Pentester scanning? Malicious? Looks like the latter.

shellshock-maltego-assessment-1.png

Looked at on a Recorded Future timeline, the reporting involving suspicious activity and blocking of this IP address date back to early September.

shellshock-associated-ip-timeline.png

Here’s the view a few hours later, when many other authors on the web were linking this IP address to Shellshock.

shellshock-maltego-assessment-2.png

Time to patch!

Related