Hackers have successful exploited a major security flaw known as the Shellshock bug which has allowed them to hijack an internet server, cyber experts told CNBC.
The Shellshock bug creates a vulnerability in Bash – a software that controls the command prompt on many computers running the Unix operating system – which includes Linux operating systems, Apple OS X and some internet-connected devices such as home routers.
The command prompt is integral to the running of these devices and is behind simple tasks such as opening up an application.
It comes as experts warn that Shellshock has the potential to be more dangerous than the Heartbleed bug discovered in April. Heartbleed was found in OpenSSL software—an encryption service used by around two-thirds of websites to protect information sent to and from web pages – and enabled people to steal an individual’s online credentials
Kaspersky Lab researcher Stefan Ortloff told CNBC the security company had identified “malicious attacks” by hackers who had exploited the Shellshock vulnerability to take over a web server. They then used this web server – which is used to host websites – to hijack another one.
Ortloff said this meant the hackers did not leave a trace: “They always use another hacked server to stay anonymous”.
The Shellshock bug meant that hackers have the potential to take down more websites through denial-of-service attacks, or target unsuspecting users with malicious viruses, he warned. Kaspersky Lab declined to disclose the servers affected due to client confidentiality.
‘Tip of the iceberg’
Other cybersecurity firms have also reported related attacks. London-based Digital Shadows, which tracks cyber-attacks in real time, told CNBC it had noted that the Bash vulnerability was being exploited.
“Many researchers have confirmed that it should be theoretically possible to create a worm that jumps from device to device. The evidence shows this is being exploited already and in an automated way,” Digital Shadows CEO, Alistair Paterson, said by email.
Downloading updates – or “patches” – is the way to protect against malicious attacks. Only a handful of developers have released Shellshock-related patches to date, and experts warned that many internet-facing devices might not have regular updates, causing vulnerability to further attacks.
“We have only seen the tip of the iceberg so far,” Kasper Lindegaard, head of vulnerability intelligence specialist Secunia, said by email, adding that only the most obvious attack methods had been used so far.