Businesses are being warned they could fall foul of data protection laws if they fail to respond to the ‘Shellshock’ bug as hackers begin to exploit the flaw.
Cyber-security experts have begun to detect malicious actors using fast-moving worm viruses to scan for vulnerable systems and then infect them using Shellshock – a software bug in the Bash shell used to control the command prompt on many Unix-based operating systems such as Linux and Mac OS X.
The bug, also known as the ‘Bash Bug’, has been compared to the ‘Heartbleed’ bug revealed in April due to its widespread use in web servers and other computer equipment, but while Heartbleed only allowed hackers to steal data Shellshock enables hackers to gain complete control of an infected machine, allowing them to tamper with data, shut down networks or launch attacks on websites.
According to security experts, Shellshock is unlikely to affect as many systems as Heartbleed because not all computers running Bash can be exploited, but the Information Commissioner’s Office, which enforces data protection law in the UK, said businesses must not bury their heads in the sand and should apply the security fixes currently being rolled promptly.
“This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure,” a spokesman said.
“The worst thing would be to think this issue sounds too complicated – businesses need to be aware of this flaw and need to be monitoring what they can do to address it. Ignoring the problem could leave them open to a serious data breach and, ultimately, enforcement action.”
Amazon.com and Google have both released bulletins to advise web services customers how to protect themselves from the new cyber-threat and a Google spokesman said the company is releasing software patches to fix the bug.
Linux makers released patches to protect against attacks on Wednesday, though security researchers uncovered flaws in those updates, prompting No. 1 Linux maker Red Hat to advise customers that the patch was "incomplete".
The industry is rushing to determine which systems can be remotely compromised by hackers, but there are currently no estimates on the number of vulnerable systems. For an attack to be successful, a targeted system must be accessible via the Internet and also running a second vulnerable set of code besides Bash, experts said.
"We don't actually know how widespread this is. This is probably one of the most difficult-to-measure bugs that has come along in years," said Dan Kaminsky, a well-known expert on Internet threats.
A major concern is the fact that Linux is used in household appliances such as home broadband routers and connected devices, as well as embedded applications in factories and even critical infrastructure facilities.
Director of security research at networking business Lancope Tom Cross, said: "Shellshock is particularly concerning in the context of industrial control systems and SCADA (supervisory control and data acquisition), where there may be many vulnerable devices that are difficult to upgrade.
“Earlier this year, a sophisticated waterhole attack targeted a users of a variety of industrial control systems and industrial cameras. Those attackers now have an entirely new attack vector to explore."
Russian security software maker Kaspersky Lab reported a computer worm that exploits Shellshock has already begun infecting computers. The malware can take control of machines, launch denial-of-service attacks to disrupt websites, and also scan for other vulnerable devices, including routers, said Kaspersky researcher David Jacoby, though he said he did not know who was behind the attacks.
Jaime Blasco, labs director at AlienVault, said he had uncovered the same piece of malware, as well as a second worm seeking to exploit Shellshock, which was designed for launching denial of service attacks.