Hackers this week managed to compromise FossHub and replace app installers distributed through it with malware-packed files, but not before hundreds of users downloaded the infected executables.
The attack was carried out by a hacking group that goes by the name of PeggleCrew, and resulted in the Windows installers of some of the largest projects on FossHub being infected, including Audacity and Classic Shell. The hackers replaced the original installers with their own versions, which included a MBR-overwriting Trojan.
Hackers gained access to FossHub via a compromised user, the service explains. Soon after, multiple user accounts were found compromised, as hackers managed to escalate. According to FossHub, hackers were able to get hold of account passwords.
The incident happened on August 2 and was detected only several hours later, which minimized the impact of the attack. However, FossHub explains that the compromised Classic Shell installer was downloaded around 300 times. No details on the number of users impacted by the infected Audacity installer have been provided as of now.
“We removed the file [Classic Shell] in several minutes and we changed all passwords for all services we had,” FossHub says.
According to a tweet from one of the hacking group’s members, all downloads were actually compromised during the incident, not only Audacity and Classic Shell.
While investigating the issue, the download service discovered that the attackers managed to gain access to the system through an FTP account, which prompted FossHub to shut down the main server on August 3, to ensure the compromise is contained. To clean the infection, FossHub decided to “reinstall everything, change all access rights, passwords and run up under new security rules.”
“The attackers tried to gain access to DNSMadeEasy (our DNS provider), to CloudFlare, personal emails, CDN services etc. The login-logs shows no successful logins, only FAILED attempts,” FossHub also says. However, the Oldfoss.com website was compromised and was also taken offline as a security measure.
The Audacity infrastructure wasn’t compromised during the incident, but the team says that they should have been more vigilant about their external downloads, to avoid situations like this from happening.
“We did not have the right safeguards in place, namely, to monitor external files. We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organization,” Audacity says.
The Classic Shell developer also acknowledged the breach and informed users on how to spot infected installers, starting with the fact that they won’t be signed by Ivaylo Beltchev, as the proper installers would.