Data Breach – Hackers violated a server at Linux Australia

The organization Linux Australia revealed that one of its servers was hacked. The personal data of conference attendees might have been exposed.

Linux Australia revealed a data breach occurred on March 22, according to the organization attackers may have accessed personal details of conference attendees.

Linux Australia is an organization that represents nearly 5,000 Australian users and developers of free and open source software. The experts discovered the data breach a couple of days later, on March 24, following the investigation on a number of error reporting emails sent by a Conference Management (Zookeepr) hosting server.

According to the investigators, the hackers have exploited an unknown vulnerability to trigger a remote buffer overflow and obtain full control of the server hosting the information.

The server compromised by attackers hosts data related previous editions of the PyCon Australia and linux.conf.au conferences organized by the Linux Australia.

“It is the assessment of Linux Australia that the individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server. A remote access tool was installed, and the server was rebooted to load this software into memory. A botnet command and control was subsequently installed and started. During the period the individual had access to the Zookeepr server, a number of Linux Australia’s automated backup processes ran, which included the dumping of conference databases to disk.” wrote Joshua Hesketh, president of Linux Australia.

The president of Linux Australia highlighted that there is no clear evidence that the hackers have stolen personal information, the records available in the archive of the organization include name, physical addresses, email addresses, phone numbers, and hashed passwords.

The organization clarified that no financial information was exposed in the data breach because the Linux Australia uses a third party payment system.

“The payment processing process on the Zookeepr system was specifically designed to send minimal information to the payment gateway, and as a result only receive back a payment success or failure code. All other payment details are handled by the payment provider’s systems. Therefore, credit card information was not disclosed,” Hesketh noted.

The experts suspect that the attackers were interested in the personal information of attendees to conduct further targeted attacks.

Linux Australia has immediately started its incident response procedures and announced improvements to its architecture.

The compromised server hosted data related to the 2013, 2014 and 2015 editions of the conferences, for this reason Linux Australia urges PyCon and linux.conf.au attendees to change their passwords, especially if the users share the same credentials with multiple web services.

Pierluigi Paganini

(Security Affairs –  Linux Australia,  data breach)