Yahoo: Shellshock Attackers Got Lucky
Says Bash-Targeting Hackers Exploited Non-Shellshock FlawYahoo and search engine giant Lycos have denied reports that their servers were compromised by attackers taking advantage of Shellshock flaws. But compression software vendor WinZip isn't responding directly to a report that it suffered a Bash-related breach.
See Also: Gartner Market Guide for DFIR Retainer Services
Yahoo confirmed to Information Security Media Group Oct. 6 that three of its servers had, indeed, been compromised by attackers. But it says the attackers did not exploit Shellshock vulnerabilities and did not access user information.
Information security consultant Jonathan Hall had reported on his Future South website earlier on Oct. 6 that the attackers had exploited Bash command-line interface flaws - referred to as Shellshock - running on multiple Yahoo servers. Yahoo says that report is inaccurate.
Shellshock refers to flaws that have been found in the Bash command-line interface that's used in many flavors of the Unix operating system. Security experts have reported seeing a steady increase in Shellshock-targeting attacks.
But Yahoo's chief information security officer, Alex Stamos, now says that after isolating and reviewing the compromised servers and tracing related attack code, Yahoo found that they weren't exploited via flaws in vulnerable versions of Bash - which he says his company has been aggressively updating - although that was what the attackers were trying to exploit.
"After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock," Stamos says in a post to Hacker News. "Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. ... The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected."
In other words, attackers apparently exploited the streaming servers in an attempt to create a beachhead inside Yahoo's network, via which they hoped to identify Yahoo servers running vulnerable versions of Bash, which they could then exploit.
Stamos says the attackers tweaked - or "mutated" - an exploit to try and bypass signature-based detection by the company's intrusion detection prevention systems, as well as its Web application firewall filters. "This mutation happened to exactly fit a command-injection bug in a monitoring script our Sports team was using at that moment to parse and debug their Web logs," he says, meaning that while attackers did successfully execute their exploit code and sneak malicious code onto the servers, the exploit had nothing to do with vulnerabilities in Bash.
"As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public," he says. "Twice means once for the initial bug on Wednesday [Sept. 24], the second time with one of the 'nuke the attack surface from orbit, it's the only way to be sure' patches that became available that Thursday [Sept 25]," he adds, throwing in an Aliens reference for good measure.
WinZip, Lycos Respond
While Yahoo has confirmed it was breached and provided copious detail about the exploit and its related cleanup process, compression software vendor WinZip has declined to respond to the details of Hall's allegation that its servers were compromised by attackers who successfully targeted Shellshock flaws. WinZip spokeswoman Jessica Gould says the company received Hall's exploit warning one week after it began patching its servers against Bash flaws and has directly thanked Hall for the alert.
"We continue to monitor the situation and apply the appropriate software updates as issues are identified," Gould tells Information Security Media Group. "We've audited our servers and want to assure our users that no customer data or WinZip commercial software shows any evidence of being affected. WinZip is committed to protecting our users' data."
Meanwhile, search giant Lycos outright denies Hall's allegation - documented via screenshots and technical details - that Bash-targeting attackers successfully installed a malicious Perl script on multiple Lycos servers. "Lycos can confirm that no systems have been breached," spokeswoman Rema Sujeeth tells Information Security Media Group. "The latest patches have been installed on the company's servers to counter Shellshock."
Takeaways For All Bash Users
The attacks against Yahoo, Lycos and WinZip are all reminders that hackers are actively attempting to exploit servers with Bash vulnerabilities, and that all businesses that run Bash must continue to take proactive measures. To date, DDoS defense firm CloudFlare says 83 percent of Shellshock probes it's seen are attackers and researchers conducting reconnaissance. But it warns that some attackers have also been targeting Shellshock for distributed-denial-of-service purposes and tricking targeted servers into "sleeping" for 20-second stretches. Attackers are also targeting Shellshock vulnerabilities to dump data from network-attached storage devices, warns threat intelligence firm FireEye. And cloud services firm Akamai has seen attackers employ related exploits to do everything from installing malicious Perl scripts, to stealing Bitcoins, to playing joke audio messages on vulnerable systems.
With attackers continuing to cook up new ways to exploit Bash flaws, how should businesses respond? Yahoo CISO Stamos says his company continues to "test the latest available exploits as well as the attempts that we see in our logs," to see if they could be used successfully.
Stamos says his company is also relying on its bug bounty program for help. He also claims that Hall had not attempted to report the Shellshock vulnerabilities to either Yahoo's bug-bounty site or security e-mail account, security@yahoo.com, both of which he says the company monitors around the clock, seven days per week. Instead, Hall reportedly e-mailed Yahoo CEO Marissa Mayer directly. "Within an hour of our CEO being e-mailed directly we had isolated these systems and begun our investigation," Stamos says.