Yahoo has claimed that several of its servers which came under attack over the weekend were not affected by Shellshock as at first thought, but a similar bug.
Yahoo’s chief information security officer, Alex Stamos, revealed that attackers had been attempting to use the Shellshock bug to infect Yahoo’s systems, but had found another way into a few of its servers relating to Yahoo’s sports services.
“Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP [intrusion detection/prevention systems] or WAF [web application firewall] filters,” he wrote.
“This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.”
Stamos said Yahoo’s security team had since isolated the servers in question and found no evidence that any other machines or user data were infected.
“This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues,” he explained.
Stamos admitted that the incident had caused some confusion for the security team as they had already applied two patches to counter the Shellshock vulnerability.
“Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock,” he added.
The incident underlines how attackers move to exploit vulnerabilities and are nimble enough to re-engineer their attacks to breach systems.