Website defacement: provisional details.
Last updated: 1st January 2014
On Sun 29th December 2013 at around 1am GMT the home page of www.openssl.org was defaced. We restored the home page just after 3am GMT and started forensics, investigation, and recovery.
Initial investigations show that the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration. Steps have been taken to protect against this means of attack in future.
The source repositories have been checked and they were not affected. Other than the modification to the index.html page no changes to the website had been made.
More details to follow.
What bothers me, and the rest of the Internet-using security people, is the fact that they stated the attack vector was via the provider’s hypervisor. No details, no mention of the hosting provider, no mention of which hypervisor was being used, and no mention of the attack vector. That’s it. That’s all.
What about the provider’s other customers that may have also been breached but don’t yet know about it? Well, here is some info:
220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , VMXARGS supported, NFCSSL supported
So is this a hypervisor breach that allowed an attacker to deface a website? I’m willing to bet that this wasn’t the case. Why would an attacker waste such a valuable exploit (assuming it was a previously undisclosed 0day) just to deface a website?
If I were a betting man, and I am, I think this breach is more than likely associated with weak configuration settings. Whether the settings are fault of the provider or Openssl.org remains to be seen, however.
I hope this information helps others hosting with this provider…or at least makes them pick up the phone to call and get details on the scope of the breach.