← Back to context

Comment by ducktective

5 years ago

> ...It looks as if it took the attackers three months to gain access back into the box and into the VM build...

How the attackers were able to gain access again after the developer used a VM in Windows? My guesses:

- The developer machine was compromised in a deeper level (rootkit?)

- The developer installs a particular application in each Linux box

- There is a bug in an upstream distro

3 comments

ducktective

Reply
dathinab  5 years ago

> The developer machine was compromised in a deeper level (rootkit?)

Unlikely that would not have taken 3 month.

> The developer installs a particular application in each Linux box

Possible, but also unlikely, as long as the vm wasn't used for other things this also wouldn't have taken 3 month.

> The developer installs a particular application in each Linux box

There probably is, but it probably has nothing to do with this exploit. For the same reasons as mentioned above.

My guess is that it was a targeted attack against that developer and there is a good chance the first attack and the second attack used different attack vectors hence the 3 month gap.

PeterisP  5 years ago

My guess would be persistence in other parts of their network used to get the credentials of that developer in some way. Perhaps some internal webapp; perhaps credential reuse with some other system; perhaps malware installed in some development tool or script that the developer would pull from some other company system and run on their machine. Perhaps even phishing, which is much more likely to succeed if you have compromised some actual coworkers' machine and can send the malware through whatever messaging system you use internally.