Linux Australia, a consortium in charge of organizing Linux conferences Down Under, acknowledged over the weekend it was breached by attackers who were able to secure access to one of its servers, and with it, potential user information.
In a detailed email to users on Saturday, the group’s president Joshua Hesketh, described how in March attackers were able to leverage an unknown vulnerability in its system to trigger a remote buffer overflow and gain root level access to its server. The news comes about two weeks after the group first noticed the breach and conforms to guidelines provided by the Australian Information Commissioner regarding data breach disclosure.
The breached database contained information about past conference attendees, including their first and last names, their physical and email addresses, and their phone number if they entered it. Attackers may have also had access to a hashed version of each conference attendee’s password.
Linux Australia insists that since attendees pay for conferences via a third party gateway, user’s payment card information was not disclosed in the breach.
Hesketh claims the attacker implemented a remote access tool and rebooted the system to load their software into memory. From there the attacker was able to configure a botnet command and control server to parse data.
The server compromised in the attack belonged to the group’s conference management system, Zookeepr, and hosted information pertaining to the group’s conferences in 2013, 2014, and 2015 (linux.conf.au) along with data from 2013 and 2014’s PyCon Australia, a separate conference the group hosted based around the Python programming language.
Linux Australia developed the system for themselves, so on March 22, when the server began spitting out a large number of error emails, developers didn’t think much of it.
“The error emails were generated by the automatic deployment of code merges to the various Zookeepr instances, and it is not uncommon for large numbers of these to be generated as generalized network routing or other issues occur,” Hesketh wrote.
Two days later however, upon further examination, the group’s administrative team was able to deduce that the server had fallen victim to a malicious attack. In response, developers suspended all non-admin accounts that interacted with the server.
Hesketh claims the group’s admin team was also able to isolate the RAT, the botnet software, and remove any init scripts relating to the attack. Init scripts, used to configure Linux daemons, are run to start required processes as part of its boot process.
Going forward, in order to be more proactive about security the group claims it will expire conference attendee accounts three months after each conference ends, enforce only key-based logins, and deploy a log analysis tool that should tip it off if any suspicious activity is observed.
In addition to discussing Linux issues, the group, comprised of more than 5000 Aussies, also participates in several subcommittees and special interest groups which lobby before the country’s government on behalf of all open source software. While the site is currently offline, the group held its most recent conference, Australasia’s regional Linux and Open Source Conference, in Auckland this past January.