After researcher Jonathan Hall’s claims that a group of hackers has been exploiting the Bash Shellshock vulnerability to compromise a number of servers belonging to Yahoo, Lycos and Winzip made headlines yesterday, the companies in question were forced to address the fact.
Yahoo was the first to acknowledge to the researcher that they found evidence of compromise on the server, and publicly reported that they isolated a handful of their impacted servers, adding that there is currently no evidence of a compromise to user data.
Yahoo CISO Alex Stamos later took to Hacker News to explain what the found. He says that the servers in question were not, after all, affected by Shellshock.
“Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs,” he pointed out.
“Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users’ data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data.”
He reiterated the initial claims that there is currently no evidence that the attackers compromised any user data or any other machines. “This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues,” he added.
“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public,” he shared.
“Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!”
WinZip took a little bit more to react, but they also confirmed the hack, adding that they began patching their servers immediately after the Shellshock vulnerability was identified in late September.
“We continue to monitor the situation and apply the appropriate software updates as issues are identified. We’ve audited our servers and want to assure our users that no customer data or WinZip commercial software shows any evidence of being affected,” the company spokeswoman Jessica Gould commented.
Lycos, on the other hand, denied the breach had happened and, according to Hall, they tried to cover up evidence that pointed to it by removing the attackers’ scripts.