Report: Shellshock Attack Hits Yahoo

11 Types of Exploits Targeting Flaws at Organizations Worldwide
Report: Shellshock Attack Hits Yahoo

(An update to this story is now available. Yahoo confirms Shellshock-targeting attackers hacked into three of its servers, but claims they didn't exploit Bash flaws.)

See Also: Data Center Security Study - The Results

Shellshock threats continue to escalate, with Yahoo reportedly falling victim to an exploit that targeted related flaws in its infrastructure to give attackers a foothold on its servers.

Since the first public warnings were sounded Sept. 24 over remotely exploitable "Shellshock" flaws in the Bash command-line interface - used in many flavors of the Unix operating system - security experts have continued to see an increase in related attacks (see Bash Bug: Bigger Than Heartbleed). But the Yahoo breach shows that the Bash flaws are already claiming some high-profile victims.

Breach Report: Yahoo, Lycos, WinZip

The Yahoo compromise was disclosed by security researcher Jonathan Hall, president of security consulting firm Future South Technologies, who claims that attackers - apparently based in Romania - have been attempting to use the Yahoo servers they compromised as a stepping stone for hacking into Yahoo's gaming servers, which are used by millions of people per day. Hall reports in a blog post that the same attackers have also compromised servers run by Lycos, as well as a payment gateway run by compression software vendor WinZip.

Hall says he notified all three companies about the flaws on Oct. 5, then chose to name them publicly after they failed to immediately acknowledge and patch the flaws. Hall says he's withheld precise details relating to the attacks, including server names, to dissuade copycat attackers.

Neither Lycos nor WinZip immediately responded to a request for comment on Hall's report. A Yahoo spokeswoman, who declined to respond directly to Hall's breach report, says that the company has been patching its systems against Shellshock since Sept. 24, as well as monitoring its infrastructure for related attacks. "Last night [Oct. 5], we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data," she says. "We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."

'Huge Number of Attacks'

Of course, many more businesses may have already been compromised by hackers who exploit Shellshock flaws. "Those on the receiving end of breaches often remain tight-lipped," software architect Troy Hunt tells Information Security Media Group. "What we do know is that there have been a huge number of attacks," he says. Some of those have been documented by CloudFlare, FireEye and the SANS Institute. But many attacks have yet to be cataloged, revealed by victims, or analyzed by security experts.

To date, six different Bash flaws - collectively referred to as Shellshock - have been discovered. Already, attackers have been using them to launch distributed-denial-of-service attacks, and to target vulnerable systems that are connected to IRC [Internet Relay Chat application layer protocol], by using automated bots that push links to related exploits. Other attackers have been targeting the flaw on some network-attached storage devices to dump all data they're storing. Some researchers have also published a proof-of-concept attack showing how Shellshock could be exploited to take control of instances of the open source OpenVPN software.

The Types of Attacks

Based on information from a number of sources, security researchers have seen about 11 different types of attacks that target Shellshock flaws:

Illegitimate vulnerability probes: These are unauthorized scans that probe servers for the presence of Shellshock flaws. "It is possible that the attacker may follow up with a 'real' attack if the check turns out to be positive," Johannes Ullrich, chief research officer at the SANS Institute, tells Information Security Media Group. Security researchers - as well as attackers - have apparently been responsible for these types of probes.

Grabbing system parameters: Ullrich says some attacks use the HTTP "User-Agent" to obtain system parameters. "This goes beyond checking if a system is vulnerable," he says, and "actually exfiltrates configuration information," which attackers could then use to create more customized exploits.

Legitimate vulnerability probes: These authorized scans - for example by security providers - attempt to identify Internet-connected systems with Shellshock flaws.

Cloud-based Shellshock scanners: These cloud-based services scan sites for the presence of Shellshock vulnerabilities.

Reverse/remote shell installation: Some payloads attempt to "install [a] perl reverse shell," Ullrich says, which would give attackers remote shell access to the system. In the case of the Yahoo server compromises, Hall says he watched an attacker - via IRC - finding vulnerable servers and then "forcing them to download a perl script that invoked a remote shell." Each successful remote-shell installation was then logged back to the attackers' IRC channel, which Hall was monitoring.

NAS attack: Threat intelligence firm FireEye reports that several attacks have exploited Bash flaws to obtain data being stored on network-attached storage devices located in Japan, South Korea and the United States. FireEye has published related indicators of compromise.

Remote patchers: Some white-hat hackers have been scanning for Shellshock-vulnerable sites, then attempting to "to remotely patch vulnerable systems by updating their Bash version," according to research published by Akamai security researchers.

Red team alerts: This simple exploit involves attackers exploiting Shellshock as a public service announcement and leaving an alert for system administrators that the server has exploitable Shellshock vulnerabilities, Akamai says.

File content dumper: This type of attack attempts to "dump" databases and steal sensitive information, including passwords.

Bitcoin targeting: Akamai says it's seen some attackers using Shellshock flaws to push malware to vulnerable systems. This attack code scans for the presence of bitcoins, then relays those bitcoins to attackers.

Funny business: These attacks include exploits aimed at opening CD trays, playing joke audio messages as well as "script-kiddie copy/paste payloads that don't make sense," Akamai says.

Akamai says it's seen Shellshock-targeting attacks coming from more than 13,000 different IP addresses per day, and has counted more than 20,000 unique payloads being used per day. Half of all Shellshock-related attacks or attempted exploits it's seen involve illegitimate probes, followed by legitimate probing (29 percent), IRC bots (10 percent) and "funny stuff" (8 percent). The vast majority of all probes and exploits were directed at online gaming sites.

Patch Web Servers First

When it comes to mitigating Shellshock, organizations should focus on Web servers first, says the SANS Institute's Ullrich. "The problem that a lot of companies have with this vulnerability is you have so many systems that are vulnerable - every Unix system you own is probably vulnerable in some way. But that doesn't mean it's exploitable."

One good piece of Shellshock news, meanwhile, is that the flaws don't appear to affect Windows users, despite a recent report from security researchers in Belgium suggesting that Windows is susceptible to a command-injection vulnerability that affects command-shell scripts. "We looked at this," Ullrich says of the report, as well as the possibility that Shellshock-like flaws might be present in Windows. "I don't see a realistic exploit vector for this flaw as of right now. Also, the use of shell scripts in Windows web apps is hardly ever seen."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network