Lots of IT security teams are at work right now to patch the Shellshock vulnerability (CVE-2014-6271) ASAP – while keeping an eye on their threat intelligence sources for exploitation in the wild. And the reports are coming in…
And ofcourse is this bash bug exploited in the wild https://t.co/M5ghZDoEnQ #shellshock
— () { :;}; echo TROLO (@mramsmeets) September 25, 2014
Self-propagating #shellshock worms are in the wild. Phoning home, command & control, the real deal. US-CERT ranks the severity 10/10, folks.
— Kenn White (@kennwhite) September 25, 2014
One of the first reports via GitHub identified the IP 162.253.66.76 as the source of suspicious activity. We took a quick look in our OSINT archive, using Maltego, to make an initial assessment. Pentester scanning? Malicious? Looks like the latter.
Click image for larger view
Looked at on a Recorded Future timeline, the reporting involving suspicious activity and blocking of this IP address date back to early September.
Click image for larger view
Here’s the view a few hours later, when many other authors on the web were linking this IP address to Shellshock.
Click image for larger view
Time to patch!
The post Bashed and Shellshocked: Early Reports of Exploitation in the Wild appeared first on Recorded Future.
