This bug is specifically in the Parity multisig wallet.
The bug is that the initWallet function (which includes setting the owner of the wallet) could be called by anyone, at any time, not just by the creator at initialisation time. Yes, really.
The attacker is searching for Parity multisig wallets, setting himself as the owner, and withdrawing all of the money.
Wow, this falls into the "fucking what?" category of security bugs. It's like walking into the Central New York Gold Depository and declaring yourself king of the world and walking out with everyone's gold with nobody noticing stupid.
The bug is that the initWallet function (which includes setting the owner of the wallet) could be called by anyone, at any time, not just by the creator at initialisation time. Yes, really.
The attacker is searching for Parity multisig wallets, setting himself as the owner, and withdrawing all of the money.