Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Linux Source Code Repository Kernel.Org Gets Hacked

A number of servers belonging to kernel.org were compromised last month in an attack that may have started with a stolen user credential.

According to a statement on kernel.org, which hosts the source code for the Linux kernel, the attack is not believed to have affected the source code repositories. While the situation remains under investigation, it is believed the attackers gained access to a server known as ‘Hera.’

A number of servers belonging to kernel.org were compromised last month in an attack that may have started with a stolen user credential.

According to a statement on kernel.org, which hosts the source code for the Linux kernel, the attack is not believed to have affected the source code repositories. While the situation remains under investigation, it is believed the attackers gained access to a server known as ‘Hera.’

“We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated,” according to kernel.org.

The attackers then modified SSH files that were running live, logged user interactions and added a Trojan startup file to the system start up scripts, the statement explains.

The attack was discovered Aug. 28 when an Xnest error message was found in the system logs on a server that did not have Xnest installed. Officials with the site have responded by taking the affected systems offline and doing backups and reinstalls, and have also notified authorities in the United States and Europe.

In an email to users, chief site administrator John ‘Warthog9’ Hawley stated that the break-in is believed to have occurred no later than Aug. 12, and that the Trojan infected a developer’s personal colocated machine as well as other systems.

“Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1, with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this,” he wrote.

The statement on kernel.org sought to assuage fears about the attack, noting that “the potential damage of cracking kernel.org is far less than typical software repositories.” “That’s because kernel development takes place using the git distributed revision control system, designed by Linus Torvalds,” according to the statement. “For each of the nearly 40,000 files in the Linux kernel, a cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version.”

Advertisement. Scroll to continue reading.

“Once it is published, it is not possible to change the old versions without it being noticed,” the statement continues. “Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of each several thousand kernel developers, distribution maintainers, and other users of kernel.org. Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily.”

The site is working with the 448 users of kernel.org to change their credentials and change their SSH keys.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.