UPDATE - Yahoo! has provided an update saying that after all, the servers in question were NOT compromised via the Shellshock vulnerability, but rather a “minor bug in a parsing script”. A story with the update is here, and the original story below.
Attackers have figured out a way to get onto some of Yahoo's servers via the Shellshock bug over the past few weeks. This may be the first confirmed case of a major company being hit with attacks exploiting the vulnerability in bash.
At least two servers for Yahoo Games have been breached, Jonathan Hall, a security researcher and a senior engineer with Future South Technologies, wrote on Reddit. The servers were vulnerable because they were using an older version of bash, Hall said. Yahoo confirmed the breach over email, he said.
Contacted by SecurityWeek, a Yahoo spokesperson provided the following statement Monday afternoon:
“A security flaw, called Shellshock, that could expose vulnerabilities in many web servers was identified on September 24. As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network. Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data. We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data.”
"This breach is very serious, and jeopardizes every consumer that uses Yahoo! in any manner, from shopping to email, and even game playing," Hall wrote in a detailed technical post on Future South Technologies website.
Hall noted that millions of people visit Yahoo Games per day, and the games themselves are Java-based. Considering that Shellshock give attackers full control of the compromised server, there are many things attackers can do, such as stealing user information, harvesting financial data, and infecting visitor computers with malware.
"Romanian hackers are currently working on further infiltrating the Yahoo! Network, and also have infiltrated Lycos and WinZip.com," Hall wrote.
Hall first came across the group when he found a server on WinZip.com—a "store" server which acted as a payment gateway for WinZip purchases—running an IRC DDoS bot. The script "was commented all over in Romanian and really appeared to focus more on shell interaction than DDoS capabilities," Hall wrote. He tracked the same attacks on yahoo.com, and noted the attacker was forcing vulnerable servers into downloading a perl script which invoked a remote shell. The attackers were "digging through the network" and traversing the servers looking for other vulnerable servers.
"He’s actively working on rooting these boxes little by little and building up his arsenal," Hall wrote, noting the target appeared to be Yahoo Games servers. Attackers successfully breached dip4.gq1.yahoo.com and api118.sports.gq1.yahoo.com. Hall noted that while he has confirmed only these two servers, it was likely others have also been compromised.
Hall publicized his findings on the Future South site because the Federal Bureau of Investigation did not seem to take his findings seriously. "They really aren't seeing the severity and danger of this situation, and really are not reacting quick enough," he wrote.
Hall also struggled to find the proper contact at Yahoo to report the issue, emailing various addresses and even going as far as to reach out to CEO Marissa Meyer via email and Twitter.
Hall claimed in his Reddit post that his discovery of the breached servers did not quality under the company's bounty program.
“I literally gave them two servers that were hacked, of which there were most likely more—without a doubt—considering one gets a public DNS response of a private IP address… And that doesn’t quality? What a joke,” Hall wrote.
A commenter on Reddit noted that Yahoo gave a Swiss security researcher a $25 voucher back in 2013 to redeem Yahoo-branded gear such as t-shirts and pens after he reported three serious vulnerabilities. Attackers could have exploited the bugs to take over Yahoo email accounts by tricking logged-in users into clicking on a specially crafted link.
Hall also noted that while much of the discussion on exploiting Shellshock has focused on using Web scripts, he has successfully exploited bash through OpenSSH and FTP servers "where certain conditions are met," and even a a stratum server being run by a bitcoin mining pool. "It’s a shame I’m not malicious, I’d have hijacked a ton a bitcoins," Hall noted.
*Updated with statement from Yahoo!