Hackers are exploiting the Bash bug, codenamed Shellshock, to install malware on Nginx and Apache web servers, according to researchers from Zscaler ThreatLabZ.
Director of security research for Zscaler Deepen Desai revealed the attacks in a blog post, claiming the firm spotted it after detecting one of the infected servers.
"Within hours of the public disclosure of this vulnerability, the Zscaler ThreatLabZ research team started seeing incidents of attacks targeting this vulnerability in the wild to download additional malware. It appears that Nginx and Apache web servers configured to use mod_cgi are two potentially vulnerable services that are actively being targeted in the wild," read the post.
Shellshock is a bug in the Bash code used by Unix and Unix-like systems discovered by researchers earlier this week. The widespread nature of the systems has led to concerns that the bug could be used to mount crippling attacks on numerous targets, including the SCADA systems running critical infrastructure.
Desai said the initial attacks appear to be infecting the server with a Linux Backdoor Trojan family with distributed denial of service (DDoS) capabilities. He added that the malware can also be used for a variety of other purposes, including commanding injection exploit attempts, collecting and sending sensitive system information, and opening backdoor connections.
Desai said the company is still researching the full extent of Shellshock and expects to see further attacks in the very near future.
"The Zscaler ThreatLabZ research team is still investigating the level of impact associated with this threat, and is actively monitoring this threat and associated attacks in the wild," he said.
"It is extremely important for system administrators to apply appropriate security patch depending on the Linux distribution they are running."
Since Shellshock has been discovered technology firms around the world have been working to fix the issue and calm customers' fears. Apple told customers only a "very small" number of Mac OS X users are vulnerable to the flaw and promised a patch fix "soon" just after Amazon confirmed its servers' backend and APIs are not affected.
Dust storm on Titan only the third Solar System body where such storms have been observed
New technique could enable quantum computers to scale-up to millions of qubits
Systrom and Krieger taking time off "to explore our curiosity and creativity"
Comcast's £29.7bn winning bid more than twice the £13.7bn Rupert Murdoch valued Sky at just eight years ago