Saturday, October 04, 2014

Red Sky Weekly: ShellShock

Beginning on 24 September 2014, hackers and researchers began exploiting the widely publicized ShellShock bash vulnerability, described in CVE -2014-6271.  The majority of the initial activity involved mass vulnerability scanning by white hats and black hats alike. Examination of scanning activity showed a peak on September 27th with a sharp decline as of September 29th . This spike and sudden decrease may be a result of what is likely wide-scale patching of the vulnerability. Alternatively, this may mark the end of exploiting the vulnerability for reconnaissance purposes and could signal a move up the kill-chain into more targeted operations.

With so many scanning for those infected with the bash bug -both white hats and black hats, and with the vast number of machines both vulnerable and exposed, you can see how quickly researchers might get overwhelmed trying to figure out who's white and who's black! 

We took a slightly different approach. Red Sky members have been identifying the next thing.. malware that will likely exploit the bug, motivations for doing so, and working to identify potential case studies where we think we'll see ShellShock pop up in efforts to create worms, nefarious search engine optimization (SEO) schemes, and building new exploitation infrastructures.

ShellShock seems to have slowed, but it was definitely the topic of the week. It seemed to have slowed a bit, but that could simply mean that the public has been duly desensitized by all of the press.. time to move on to something else shocking...

Like this... Dealbook is reporting that ten other banks were compromised beyond those already reported.  I don't have any information on that, but I'll say... the portal has been insanely busy.


I haven't checked user stats in a while (yeah, I'm a slacker!) so this week I jumped into the admin console to see where we're at. I get this question all of the time.. how many members are in Red Sky Alliance? 

From an organizational perspective, it's about 35 companies. From a user perspective, we have 178 active accounts. We've created many more, but we don't leave non-participating accounts active. Out of those 178 accounts, you can see the participation below. Of course we're only starting October, and March '12 was our first month in operation, but month over month we have an average of about 90 of those users who participate. That's 51% month over month participation. What about contributors? We average about 40 unique contributors every month. Some are more, some are less, but 40 unique contributors and 90 participants is a great number. How to the rest receive information? Some get subscriptions from lab. Others simply 'follow' conversations in the portal, getting notifications and content when something is loaded. Others are managers. 51% month over month participation.. amazing.

And what about content? As you can see below, we've got about 1500 threads going. The portal has only been active for about two and a half years, and since then, 1500 threads, and over 1000 documents and reports --about 300 finished intelligence or analysis reports supplied by us, or members.

Last, I thought I'd post some of the portal areas... Incident responders corner is where you go for incident response help. We keep an area called Wild Fire for those with an immediate need. Malware Samples? That's just what it says.. submit a piece of malware for analysis --either crowdsourced, or by the Wapack Labs team. Security Intelligence, another of our popular groups is just what it says. It's forward looking intel. And Fusion Reports, with 422 documents posted, hosts discussions of finished analysis.

Crazy. The portal has been on fire. I love it. I'm heading for Houston this week to work so I may respond slowly to email, but we're always on the portal :)

Interested in joining us? If you'd like to join us, drop me a note or give me a shout.
Have a great weekend!