Trojaned OpenSSH (In 2002)
3 days ago
- #security breach
- #OpenSSH
- #supply-chain attack
- In August 2002, trojaned OpenSSH tarballs were discovered on OpenBSD's FTP server and mirrors.
- The trojan inserted a file, bf-test.c, into the source code to compile and execute a backdoor connecting to a specific IP address on port 6667.
- The attack was noticed when users observed mismatched checksums and reported the issue on IRC.
- OpenBSD developers quickly responded by taking systems offline, changing passwords and SSH keys, and investigating the breach.
- Forensics revealed at least two developer accounts were compromised, with unauthorized logins dating back to June 2002.
- The compromised accounts likely resulted from a security vulnerability, possibly in OpenSSH or Apache, during the Usenix 2002 conference.
- The attackers did not appear to have extensive knowledge, as the trojan was crude and easily detectable.
- Extensive code reviews were conducted to ensure no further tampering existed in the repository.
- The incident highlighted the risks of supply-chain attacks, prompting changes like restricting SSH keys with 'from=' attributes.
- Despite the breach, OpenBSD's transparent response and teamwork helped manage the situation effectively.