Following the recent Gentoo Linux hack the distribution’s security team started to investigate how the intrusion was made. The published report showcases exactly how the criminals have been able to break into their GitHub accounts and embedded malicious code.
The Investigation Reveals How the Gentoo Linux GitHub Hack Was Made
Last week saw a hacker intrusion into the main GitHub account of Gentoo Linux. This is one of the most popular distributions of the free operating system which is well-known for being used mainly by advanced users, system administrators and network engineers because of it’s unique package management system that compiles the user-installed software from source code. The reason why people choose Gentoo is due to it’s inherent customization options allowing it to be used in various situations with ease.
Unfortunately last week the security team posted an announcement stating that computer hackers have been able to access their GitHub account and embed malicious code that ultimately may have infected end users and developers. A thorough investigation has been commissioned in order to reveal how the hackers have been able to gain entry to it. The Gentoo team has prepared a full report which has been published online on their wiki page revealing details on the attack.
The criminals were able to gain access to a password used by the administrator staff. The investigation team confirmed that a possible cause could have been guessing schemes and information gathering that ultimately were used to discover the password. Consequently the GitHub repositories were made accessible to the hackers. It is used to host various infrastructure code and projects. Fortunately this does not include the main application repositories that are used by the general public to download packages or package instructions, nor does it include the distribution releases.
Gentoo Linux GitHub Hack Sequence Details
Upon intrusion the hackers removed the developer accounts and created a dummy one which automatically triggered an email response which allowed the developers to react almost instantly. The investigation team states that if this measure was not implemented then the hackers could have maintained their access for a longer time which would have caused a much more damaging impact.
The hackers were able to create two malicious users that have administrative privileges through which the GitHub manipulations were made. In the short time between the initial intrusion and the response coming in from the Gentoo team the criminal collective was able to do the following:
- Users Manipulation — Removal of account credentials and the addition of hacker accounts through which the actions are done.span>
- Files Addition — One of the hacker actions was to upload a readme.txt file containing racist messages.
- Files Modification — The analysts revealed that the attackers have changed the billing emails in order to reroute any financial data to their own accounts.
- Malicious Code Insertion — The hackers have included a command in some of the ebuild files that are hosted there. If the file is accessed and executed on a local computer then all of the computer’s contents will be removed.
Once the team has been alerted of the intrusion they have contacted GitHub and shut down the service. Following this action they started to cooperate with the Gentoo security team in order to track down the perpetrators of the crime. The investigation reports indicate that in one of the first messages from GitHub to Gentoo Linux the host has offered them security recommendations in order to mitigate future attacks such as the addition of two-factor authentication options.
Following the discovery of the Gentoo Linux GitHub breach the team also started a thorough investigation of all accounts and services in order to make sure that there are no other weaknesses as well. The results were negative — the intrusion was made solely against GitHub only.
While the GitHub account was shutdown there have been several hacker access attempts. Consequently they have been blocked and the precautions taken by the Gentoo Linux team will prevent future incidents. Several days following the incident both GitHub and Gentoo reported that it is safe to open the public account as soon as all malicious actions were remedied.
The Gentoo Linux team has setup a status page that is updated live, it can be accessed here.