• Synnr
    link
    fedilink
    arrow-up
    20
    ·
    edit-2
    8 months ago

    In turn it compromises ssh authentication allows remote code execution via system(); if the connecting SSH certificate contains the backdoor key. No user account required. Nothing logged anywhere you’d expect. Full root code execution.

    https://news.ycombinator.com/item?id=39877312

    There is also a killswitch hard-coded into it, so it doesn’t affect machines of whatever state actor developed it.

    https://news.ycombinator.com/item?id=39881018

    It’s pretty clear this is a state actor, targeting a dependency of one of the most widely used system control software on Linux systems. There are likely tens or hundreds of other actors doing the exact same thing. This one was detected purely by chance, as it wasn’t even in the code for ssh.

    If people ever wonder how cyber warfare could potentially cause a massive blackout and communications system interruption - this is how.