The Gentoo Linux project has finished investigating the hacking last week of its GitHub-hosted package repository, an incident that resulted in attackers distributing malicious code to users. The point of entry turned out to be a weak admin password that was probably guessed thanks to data stolen from another website.
On June 28, unknown individuals gained control over the Gentoo Organization on GitHub and locked out other administrators. They then proceeded to close pull requests and add the “rm -rf /*” command to code in various repositories that are typically cloned by users. The goal of the command was to delete all files from users’ computers.
Gentoo is one of the oldest versions of Linux and, unlike other distributions that ship pre-built software packages, it uses a package management system that downloads programs’ source code and compiles it locally to achieve better optimization. Having malicious commands added to build configurations that are cloned by users is a great risk.
Fortunately, the rogue code added during the incident is unlikely to have been executed by users due to various technical guards that were in place, the Gentoo admins said in their investigation report.
Another good news is that the GitHub-hosted ebuild repository was only a mirror of the master Gentoo repository hosted on gentoo.org, a different infrastructure that wasn’t compromised. Therefore, users who used rsync or webrsync using the master repository were not affected. Also, the gentoo-mirror repositories including metadata were hosted under a separate GitHub account that wasn’t affected either.
Logs indicate that the attackers probed several accounts with administrative access before successfully guessing the password for one of them. They then started to remove legitimate accounts, triggering automated email alerts that quickly tipped off other Gentoo admins.
Had the attackers engaged in a quieter attack that wouldn’t have affected other accounts, it’s likely they would have gained a larger window of opportunity, said the Gentoo admins.
Collected evidence suggests that the compromised account used “a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages,” they noted.
Using the same password or passwords that share a similar pattern on multiple websites is convenient for users, but poses a serious security risk. Website database breaches are very common and the extracted credentials are then used against other websites in so-called credential stuffing attacks.
Because of this, all organizations should make sure their employees use unique and complex passwords for their work accounts and augment those with two-factor authentication. Gentoo has now turned on two-factor authentication for its entire organization on GitHub and is also looking into enabling 2FA protection for its other non-GitHub services and users.
Because of this incident, the Gentoo Organization repositories on GitHub were unavailable for five days and the project is still working with GitHub to find a way to restore pull requests that were deleted by attackers after being disconnected from their original commits.
Malware Probes Computers to Decide Between Ransomware or Cryptominers
Infecting computers with ransomware has been one of the most profitable activities for cybercriminals over the past several years, but mining cryptocurrency using other people’s computing resources is an increasingly popular alternative.
Researchers from Kaspersky Lab have spotted a new variant of a 5-year-old ransomware program called Trojan-Ransom.Win32.Rakhni exhibiting an unusual behavior: During the first stage of the infection chain, the malware probes the computer to decide whether to download and deploy ransomware or to install a cryptocurrency miner.
The malware is delivered through malicious Word documents distributed via spam campaigns. Once users allow the embedded code to execute, it starts performing several checks, including detecting whether it’s running inside a virtual machine or honeypot or if certain processes associated with security programs are running.
If none of those are detected, the malware then checks whether the computer contains a “%AppData%\Bitcoin” folder. If the folder is present, it indicates that the user might have a Bitcoin wallet, in which case, the ransomware component is deployed because the user has more reasons to pay the ransom.
If no such folder is found and the computer has two or more logical CPUs, then it installs a component that can mine Monero, Monero Original and Dash cryptocurrency. Finally, if the computer has fewer than two logical CPUs, then the malware only installs a worm component that attempts to infect other computers on the local network by copying itself to shared folders.