/>
X

Yahoo confirms servers infected — but not by Shellshock

Yahoo says no customer data was placed at risk after servers were infiltrated by malware -- and the insidious Shellshock bug was not at fault.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on
glowing-keyboard-hacker-security-620x465

Yahoo has confirmed a "handful" of infected servers have been discovered, but says the Shellshock bug is not to blame.

The tech giant came under scrutiny following a report published by Future South Technologies earlier this week. Jonathan Hall, senior engineer and president of the security company said that Yahoo's systems were breached using the Shellshock bug. Romanian hackers running scripts designed to form bot networks for DDoS attacks were allegedly to blame. 

The report also said that Lycos and WinZip are vulnerable to Shellshock; the former company denying the breach, and the latter having confirmed the problem and thanked the researcher.

Shellshock is a severe vulnerability in Bash, an open-source shell used as the default command-line interpreter on many operating systems including Linux, variations of Unix, and Apple's OSX. The vulnerability allows a hacker to execute code and the same commands as a legitimate user -- without authentication. While this limits a hacker in the first instance, being able to gain such a foothold means that privileges could be escalated and full access to a system eventually granted.

In a post to Hacker News, Yahoo CISO Alex Stamos refuted Hall's claims, saying that after "investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock."

"Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers," Stamos writes. "These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs."

The Yahoo executive says that the servers were immediately isolated, although the affected API servers are used to provide live sports game streaming and do not hold or store user data anyway. At this time, the company has found no evidence that user data has been impacted, and the exploit pattern has been added to CI/CD code scanners to catch future issues.

However, it is worth keeping in mind that cybercriminals will often infiltrate the weaker links of a chain -- whether it be a server or third-party computer system with access to a desired network -- and so isolation or closure may not be enough of a response to such infiltration.

In addition, the Yahoo executive denies that Hall contacted the company, despite the security researcher saying he "attempted to contact Yahoo several times" and resorted to "emailing Marissa Mayer and contacted her via Twitter, both of which yielded zero results and no response." Hall has also posted what appears to be communication with a member of Yahoo's security team, Ricky Connell.

Stamos said:

"Yahoo takes external security reports seriously and we strive to respond immediately to credible tips. We monitor our Bug Bounty and security aliases 24x7, and our records show no attempt by this researcher to contact us using those means. Within an hour of our CEO being emailed directly we had isolated these systems and begun our investigation."

Read on: In the world of security

Related

This stuff is better than compressed air for cleaning your dirty tech
img-6864

This stuff is better than compressed air for cleaning your dirty tech

Office Hardware & Appliances
Google looks to reduce pushback bias in developers' software code review
close up programmer man hand typing on keyboard at computer desktop for input coding language to software for fix bug and defect of system in operation room , technology concept

Google looks to reduce pushback bias in developers' software code review

Developer
Linus Torvalds is cautiously optimistic about bringing Rust into Linux kernel's next release
rusty gears

Linus Torvalds is cautiously optimistic about bringing Rust into Linux kernel's next release

Enterprise Software