← Back to context

Comment by xmodem

5 years ago

I think you may have misinterpreted that part of the post - my understanding is that the Linux laptop that was being used was compromised, and there was a 3 month gap when that developer switched to a Windows machine before that became compromised too. Specifically it would be fascinating to learn whether the Windows host was compromised or if it was only the Linux VM.

4 comments

xmodem

Reply
ducktective  5 years ago

> ...It looks as if it took the attackers three months to gain access back into the box and into the VM build...

How the attackers were able to gain access again after the developer used a VM in Windows? My guesses:

- The developer machine was compromised in a deeper level (rootkit?)

- The developer installs a particular application in each Linux box

- There is a bug in an upstream distro

  • dathinab  5 years ago

    > The developer machine was compromised in a deeper level (rootkit?)

    Unlikely that would not have taken 3 month.

    > The developer installs a particular application in each Linux box

    Possible, but also unlikely, as long as the vm wasn't used for other things this also wouldn't have taken 3 month.

    > The developer installs a particular application in each Linux box

    There probably is, but it probably has nothing to do with this exploit. For the same reasons as mentioned above.

    My guess is that it was a targeted attack against that developer and there is a good chance the first attack and the second attack used different attack vectors hence the 3 month gap.

  • PeterisP  5 years ago

    My guess would be persistence in other parts of their network used to get the credentials of that developer in some way. Perhaps some internal webapp; perhaps credential reuse with some other system; perhaps malware installed in some development tool or script that the developer would pull from some other company system and run on their machine. Perhaps even phishing, which is much more likely to succeed if you have compromised some actual coworkers' machine and can send the malware through whatever messaging system you use internally.