Gentoo Repository Compromised Due to Weak Admin Password

The Gentoo Linux project has finished investigating the hacking last week of its GitHub-hosted package repository, an incident that resulted in attackers distributing malicious code to users. The point of entry turned out to be a weak admin password that was probably guessed thanks to data stolen from another website.

On June 28, unknown individuals gained control over the Gentoo Organization on GitHub and locked out other administrators. They then proceeded to close pull requests and add the “rm -rf /*” command to code in various repositories that are typically cloned by users. The goal of the command was to delete all files from users’ computers.

Gentoo is one of the oldest versions of Linux and, unlike other distributions that ship pre-built software packages, it uses a package management system that downloads programs’ source code and compiles it locally to achieve better optimization. Having malicious commands added to build configurations that are cloned by users is a great risk.

Fortunately, the rogue code added during the incident is unlikely to have been executed by users due to various technical guards that were in place, the Gentoo admins said in their investigation report.

Another good news is that the GitHub-hosted ebuild repository was only a mirror of the master Gentoo repository hosted on, a different infrastructure that wasn’t compromised. Therefore, users who used rsync or webrsync using the master repository were not affected. Also, the gentoo-mirror repositories including metadata were hosted under a separate GitHub account that wasn’t affected either.

Logs indicate that the attackers probed several accounts with administrative access before successfully guessing the password for one of them. They then started to remove legitimate accounts, triggering automated email alerts that quickly tipped off other Gentoo admins.

Had the attackers engaged in a quieter attack that wouldn’t have affected other accounts, it’s likely they would have gained a larger window of opportunity, said the Gentoo admins.

Collected evidence suggests that the compromised account used “a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages,” they noted.

Using the same password or passwords that share a similar pattern on multiple websites is convenient for users, but poses a serious security risk. Website database breaches are very common and the extracted credentials are then used against other websites in so-called credential stuffing attacks.

Because of this, all organizations should make sure their employees use unique and complex passwords for their work accounts and augment those with two-factor authentication. Gentoo has now turned on two-factor authentication for its entire organization on GitHub and is also looking into enabling 2FA protection for its other non-GitHub services and users.

Because of this incident, the Gentoo Organization repositories on GitHub were unavailable for five days and the project is still working with GitHub to find a way to restore pull requests that were deleted by attackers after being disconnected from their original commits.

Malware Probes Computers to Decide Between Ransomware or Cryptominers

Infecting computers with ransomware has been one of the most profitable activities for cybercriminals over the past several years, but mining cryptocurrency using other people’s computing resources is an increasingly popular alternative.

Researchers from Kaspersky Lab have spotted a new variant of a 5-year-old ransomware program called Trojan-Ransom.Win32.Rakhni exhibiting an unusual behavior: During the first stage of the infection chain, the malware probes the computer to decide whether to download and deploy ransomware or to install a cryptocurrency miner.

The malware is delivered through malicious Word documents distributed via spam campaigns. Once users allow the embedded code to execute, it starts performing several checks, including detecting whether it’s running inside a virtual machine or honeypot or if certain processes associated with security programs are running.

If none of those are detected, the malware then checks whether the computer contains a “%AppData%Bitcoin” folder. If the folder is present, it indicates that the user might have a Bitcoin wallet, in which case, the ransomware component is deployed because the user has more reasons to pay the ransom.

If no such folder is found and the computer has two or more logical CPUs, then it installs a component that can mine Monero, Monero Original and Dash cryptocurrency. Finally, if the computer has fewer than two logical CPUs, then the malware only installs a worm component that attempts to infect other computers on the local network by copying itself to shared folders.

Lucian Constantin

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Gentoo Repository Compromised Due to Weak Admin Password

Comments are closed.