Yahoo CISO Alex Stamos refuted claims made by a Louisiana security company that a number of Yahoo servers had been compromised by Romanian hackers using Shellshock exploits against the vulnerability in Bash.
Stamos said three Yahoo Sports API servers were infected with malware by hackers looking for webservers vulnerable to the Shellshock vulnerability, but the exploits were not related to Shellshock. Those servers, which provide live game streaming, do not store user data and were isolated upon discovery of malware, Stamos said.
“These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters,” Stamos wrote in a post to Hacker News. “This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.”
No other Yahoo servers were compromised, and no user data was accessed, Stamos said.
“This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues. As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public,” Stamos wrote. “Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!”
Earlier today, Future South Technologies disclosed what it said was a breach of Yahoo servers by a gang of Romanian hackers running scripts used for herding bots for DDoS attacks. In a lengthy report published on its website, Future South president and senior engineer Jonathan D. Hall also posted messages he sent to Yahoo, the local FBI office in New Orleans, as well as officials at WinZip, which he said was also compromised in this attack, along with Lycos.
Stamos said that Yahoo’s bug bounty and security teams have no record of Hall messaging engineers to report his findings, despite Hall’s report to the contrary, which included screeenshots of an email from a Yahoo incident response team member named Ricky Connell.
“We monitor our Bug Bounty (bugbounty.yahoo.com) and security aliases (email@example.com) 24×7, and our records show no attempt by this researcher to contact us using those means,” Stamos said. “Within an hour of our CEO being emailed directly, we had isolated these systems and begun our investigation. We run one of the most successful Bug Bounty programs in the world and I hope everybody here will participate and help us keep our users safe.”
Shellshock is a vulnerability in Bash (Bourne AgainShell), an open source command line shell used by most Linux, UNIX and Mac OS X systems. The vulnerability occurs in the way Bash parses environment variables and allows an attacker to remotely attach executable code to a variable. Numerous patches for the original vulnerability and others found since have been distributed since Shellshock was disclosed on Sept. 24. A number of public exploits have also been discovered in the wild.
Hall said he was prompted to hunt down the attackers after his server logs showed that a winzip.com domain was pinging his machines looking for vulnerable Bash deployments. Hall said he used his own personally developed Shellshock exploit, along with Google searches, to identify vulnerable servers. He then found some on the winzip domain that were compromised by perl-based DDoS bots running on IRC channels. After dumping the contents of the hackers’ box, he saw they were more focused on “shell interactions than DDoS capabilities.” A number of Bash exploits have been reported, including a few snared in a honeypot by AlienVault Labs, which also identified perl-based DDoS bots in action.
It was here that he noticed a number of the compromised domains belonged to Yahoo and Lycos, and that as those domains joined the botnet, the hackers would try to root the boxes in order to load more commands.
Hall said he also has evidence that he would not share that indicates the hackers are trying to access the Yahoo Games servers. He identified two Yahoo servers in his post that had been rooted, before he was booted off the IRC channel by the hackers who realized his activities indicated he was not a bot.