Hackers are exploiting the Bash bug, codenamed Shellshock, to install malware on Nginx and Apache web servers, according to researchers from Zscaler ThreatLabZ.
Director of security research for Zscaler Deepen Desai revealed the attacks in a blog post, claiming the firm spotted it after detecting one of the infected servers.
"Within hours of the public disclosure of this vulnerability, the Zscaler ThreatLabZ research team started seeing incidents of attacks targeting this vulnerability in the wild to download additional malware. It appears that Nginx and Apache web servers configured to use mod_cgi are two potentially vulnerable services that are actively being targeted in the wild," read the post.
Shellshock is a bug in the Bash code used by Unix and Unix-like systems discovered by researchers earlier this week. The widespread nature of the systems has led to concerns that the bug could be used to mount crippling attacks on numerous targets, including the SCADA systems running critical infrastructure.
Desai said the initial attacks appear to be infecting the server with a Linux Backdoor Trojan family with distributed denial of service (DDoS) capabilities. He added that the malware can also be used for a variety of other purposes, including commanding injection exploit attempts, collecting and sending sensitive system information, and opening backdoor connections.
Desai said the company is still researching the full extent of Shellshock and expects to see further attacks in the very near future.
"The Zscaler ThreatLabZ research team is still investigating the level of impact associated with this threat, and is actively monitoring this threat and associated attacks in the wild," he said.
"It is extremely important for system administrators to apply appropriate security patch depending on the Linux distribution they are running."
Since Shellshock has been discovered technology firms around the world have been working to fix the issue and calm customers' fears. Apple told customers only a "very small" number of Mac OS X users are vulnerable to the flaw and promised a patch fix "soon" just after Amazon confirmed its servers' backend and APIs are not affected.
Nintendo sales double and profits balloon by 500 per cent as Shuntaro Furukawa is appointed president
Switch console sold more than 15 million units, while SNES Classic sold more than five million
High-precision measurements of nearly 1.7 billion stars made by Gaia space observatory
Water trapped in asteroids could be the source of the Earth's seas
Latest Skip Ahead build focuses on mobile and a number of small fixes