14 DAY TRIAL // In late December, Turkish hackers managed to breach and deface the website of the OpenSSL Foundation, openssl.org. On January 1, OpenSSL representatives released a statement to provide additional details regarding the attack.
There’s no evidence that the attackers targeted the source repositories. It appears they had only changed the website’s index page. However, the interesting part of OpenSSL’s statement is the one that provides details on how the attack was carried out.
“Initial investigations show that the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration. Steps have been taken to protect against this means of attack in future,” the statement reads.
The following day, VMWare published a statement of its own to clarify that the hackers didn’t exploit a vulnerability in the company’s products.
“The VMware Security Response Center has actively investigated this incident with both the OpenSSL Foundation and their Hosting Provider in order to understand whether VMware products are implicated and whether VMware needs to take any action to ensure customer safety,” VMware’s Iain Mulholland noted in a blog post.
“We have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error.”
On the other hand, as Ars Technica’s Dan Goodin highlights, it’s possible that the “hypervisor” that the OpenSSL Foundation representatives are actually referring to is the one used by the organization’s hosting provider, IndIT Hosting, which appears to be relying on ESXi and KVM.
The fact that the attackers haven’t touched any of the source repositories isn’t surprising, considering that in the defacement message they claim to “love OpenSSL.” In addition, judging by their zone-h.org account, most of their attacks are carried out in an effort to boost their reputation, not to cause damage.