On Monday afternoon, Yahoo told SecurityWeek that servers associated with Yahoo Games had been hacked as a result of the recently disclosed “Shellshock” vulnerability, but the company now says that its original conclusion was wrong.
In its original statement issued Monday afternoon, the company said that on Sunday night, a “handful” of its servers were impacted but said there was no evidence of a compromise to user data.
Hours later, Yahoo! Contacted SecurityWeek with a change in tune, saying that after all, the servers in question were NOT compromised via the Shellshock vulnerability, but rather a “minor bug in a parsing script”.
“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by Shellshock. After investigating the situation fully, it turns out that the servers were in fact no affected directly by Shellshock, but by a minor bug in a parsing script,” a Yahoo! Spokesperson told SecurityWeek. “Regardless of the cause, our course of action remained the same — to isolate the servers at risk and protect our users’ data.”
The company maintained its position that no evidence has been found suggesting that user information was affected by the incident.
Yahoo! CISO, Alex Stamos provided additional details in a post to Y Combinator’s Hacker News.
“Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers,” Stamos explained. “These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.
Stamos, who became VP of Information Security and CISO at Yahoo! in March 2014, continued:
“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!
The original story with more background on the incident can he found here.
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Virtual Event Today: CISO Forum 2023 – Register to Join
- Watch Now: Threat Detection and Incident Response Virtual Summit
- Registration Now Open: 2023 ICS Cybersecurity Conference | Atlanta
- NetRise Adds $8 Million in Funding to Grow XIoT Security Platform
- Virtual Event Today: Zero Trust Strategies Summit
- Virtual Event Tomorrow: Zero Trust Strategies Summit
- Watch: How to Build Resilience Against Emerging Cyber Threats
- Video: How to Build Resilience Against Emerging Cyber Threats
Latest News
- In Other News: Linux Kernel Exploits, Update on BEC Losses, Cybersecurity Awareness Act
- Russian National Arrested, Charged in US Over Role in LockBit Ransomware Attacks
- Russian Hackers Using USB-Spreading Malware in Attacks on Ukrainian Government, Military
- Ransomware Group Starts Naming Victims of MOVEit Zero-Day Attacks
- CISA, NSA Share Guidance on Hardening Baseboard Management Controllers
- Content Moderation Tech Startup Trust Lab Snags $15M Investment
- OT Security Firm Shift5 Adds $33 Million in Funding
- XSS Vulnerabilities in Azure Led to Unauthorized Access to User Sessions
