14 DAY TRIAL // Over the weekend, Romanian hackers penetrated Yahoo machines leveraging what appeared to be the Shellshock vulnerability, but as it turned out, the intruders managed to trigger another bug, unrelated to the one affecting the Bash command interpreter, although similar in nature.
Reported on Monday, the attack was also conducted against other servers belonging to high-profile companies WinZIP and Lycos, according to Jonathan Hall, a hacker that switched the black hat to a white one.
He contacted the aforementioned companies and received an answer from each, albeit with some delay. WinZip, just like Yahoo, confirmed the intrusion, but Lycos apparently denied it.
At first, Yahoo seemed to confirm Hall’s findings, that Shellshock was indeed at fault for creating an entry point on the affected machines; but later, Alex Stamos, chief information security officer at Yahoo, issued a new statement saying that the intrusion was possible because of a different glitch.
Modified Shellshock exploit worked with another bug
Stamos said that although the attackers ran malicious code to find machines exploitable through the Bash security flaw, they relied on a mutated exploit for the vulnerability.
“This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs,” Yahoo’s CISO announced in his statement.
The flaw was in a monitoring script that is used for parsing and debugging web logs, which was in use on three Sports API (application programming interface) servers.
The modification of the exploit was probably done in order to avoid the protection mechanisms set up to protect the servers, IDS/IDP (intrusion detection and prevention system) and WAF (web application firewall).
“Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!” he notes in the post.
User data was never at risk
After learning about the compromise, Yahoo proceeded to isolate the affected machines and search for evidence about user data compromise.
The purpose of the API servers hit in the attack is to provide live game streaming information to the Sports front-end. As such, no customer information is stored on them.
Stamos notes that there is no evidence about compromise of other machines, which may contain sensitive user details.
The machines have been secured, and the necessary pattern indicators have been appended to the code scanners in order to avoid future intrusions taking advantage of this flaw.