• Synnr
      link
      fedilink
      arrow-up
      20
      ·
      edit-2
      9 months ago

      In turn it compromises ssh authentication allows remote code execution via system(); if the connecting SSH certificate contains the backdoor key. No user account required. Nothing logged anywhere you’d expect. Full root code execution.

      https://news.ycombinator.com/item?id=39877312

      There is also a killswitch hard-coded into it, so it doesn’t affect machines of whatever state actor developed it.

      https://news.ycombinator.com/item?id=39881018

      It’s pretty clear this is a state actor, targeting a dependency of one of the most widely used system control software on Linux systems. There are likely tens or hundreds of other actors doing the exact same thing. This one was detected purely by chance, as it wasn’t even in the code for ssh.

      If people ever wonder how cyber warfare could potentially cause a massive blackout and communications system interruption - this is how.