Posted on May 3, 2020 at 4:54 PM
Reports revealed that hackers have compromised the servers of LineageOS through noticeable vulnerability. However, the developers revealed that the signing keys were not affected. LineageOS is a mobile operating system for tablets, smartphones, and set-top boxes.
According to the report, the attack occurred yesterday night and was discovered before the actors could cause any possible damage to the entire network.
The developers of LineageOS published a statement regarding the attack a few hours after the incident.
No harm was done to the servers
The team pointed out that there was no damage or infiltration on the source code of the operating system. That’s because there weren’t any new builds of the operating system, which was put on hold since April 30 as a result of a different issue.
Also, there was no harm done to the signing keys utilized for the authentication of official OS distributions, since the hosts have a different storage server with the LineageOS main infrastructure.
Developers of the LineageOS platform pointed out that the hackers took advantage of an unpatched vulnerability to infiltrate the Salt installation server.
As an open-source server, Salt was created by Saltstack to automate and manage servers inside internet networks, cloud server setups, and data centers.
Two vulnerabilities were discovered in the Salt framework
Earlier in the week, F-Source, a cybersecurity company, reported that there are two main vulnerabilities within the salt network which may be utilized to take control of Salt installations.
According to the report, the vulnerabilities were CVE-2020-11652 and CVE-2020-11651. The first is a directory traversal while the other vulnerability is an authentication bypass. When the two vulnerabilities are exploited together, they could enable the attackers to have access to the Salt server by bypassing its login procedures.
Once access is granted, the hackers can initiate codes on Salt masters servers that are vulnerable on the internet.
The developers of the Salt servers released a report recently on the incident. They said the infiltration of the two bugs started yesterday. Hackers utilized cryptocurrency miners in some situations while, in other situations, they deployed backdoors on the server for future attacks.
Presently, there are over 6,000 vulnerable Salt servers available on the internet. If these servers are not properly updated and patched, they can create the avenue for hackers to exploit.
Another major operating system was compromised in the past
This is not the first time a popular operating system was compromised within the past 12 months. In July last year, the Canonical’s GitHub account was breached by hackers, but the Ubuntu source code was not affected.
As at then, Canonical Ltd announced that its GitHub account of the Ubuntu Linux distribution was infiltrated and utilized to create repositories and other activities.
According to reports on the GitHub account, the actors designed 11 new empty GitHub repositories on the main Canonical account. But two days before the incident occurred, a cybersecurity company, Bad Packets, discovered attacks on Git configuration files.
Canonical Ltd immediately took action and removed the compromised account in the GitHub. After its investigation, the company confirmed that no PII or source code was affected.
Patches for salt vulnerability have been released
As developers of the Salt server have pointed out, the Salt team has released patches for the vulnerable servers earlier in the week. Therefore the servers should not be left vulnerable over the internet but should be kept behind a firewall for more security.
Yesterday, the LineageOS team started investigating the incident to ensure improved security on its servers in the future. The team said users should not be concerned about the breach because all the important data in the server is safe. It also reiterated that the investigation will make sure other vulnerable areas are completely patched.
Developers of the LineageOS pointed out that they were able to detect the attack and stop it on time because of its security systems in place. They revealed the team is carrying out further investigation on the situation and details about findings will be released as well.