Linux Kernel’s Infrastructure Compromised by Malware for Two Years
In a startling revelation, researchers from ESET have uncovered that the infrastructure supporting the Linux operating system kernel was compromised by sophisticated malware from 2009 to 2011. The attackers managed to infiltrate kernel.org, the central domain for Linux development and distribution, affecting at least four servers. They obtained encrypted password data for over 550 users, converting half of these into plaintext passwords through advanced cracking techniques and a credential-stealing feature within the malware. The compromised servers were used for sending spam and other malicious activities.
The breach, which came to light in 2011, involved the installation of the Phalanx rootkit and a second piece of malware named Ebury on multiple servers and devices. Ebury, in particular, created a backdoor in OpenSSH, allowing attackers remote root access without a password. This malware spread to 25,000 servers over 22 months, including those outside the Linux Kernel Organization.
A detailed 47-page report by ESET traced Ebury’s history back to 2009, two years earlier than previously believed, revealing that it had infected over 400,000 servers running Linux and other operating systems. The attackers also obtained copies of the /etc/shadow files, securing cleartext passwords for 275 users. The incidents appear to be the work of two unrelated threat groups, with no evidence suggesting tampering with the Linux kernel source code. The full extent of the compromise and its implications remain a concern within the cybersecurity community.
Read more at Ars Technica…