Classic Shell hackers: We infected FossHub so ransomware couldn't (and yeah, also for fun)

The hacking group credited for compromising FossHub and briefly infecting downloads of Audacity and Classic Shell says the fallout from the website's insecurity could have been far worse had they not got there first.

In a conversation with El Reg, a member of the Peggle Crew group said the security breach – in which the FossHub accounts for both Audacity and Classic Shell were compromised and used to spread a few hundred copies of a new piece of Master Boot Record (MBR) nuking malware – was, in fact, a relatively simple matter.

We're told that in late July, the miscreants easily found an internet-facing service that was not password-protected. This contained all the source code and passwords they needed to obtain deeper access to FossHub's production and mirror systems as well as its caching servers via FTP, the crew said. They were able to grab the accounts database of developers who upload files to FossHub; the passwords were not salted, apparently.

It took one of the gang's x86 assembler programmers "a day or so" to write the MBR nasty, which blows away the boot record sector and potentially trashes the partition table on the main drive, rendering the PC unbootable until it is repaired by software tools. The group considered slipping in a rootkit but gave up on that and went with an old-school MBR killer instead.

Their software nasty was hidden in copies of the Windows installers for Audacity and Classic Shell hosted on FossHub, a portal for free and open-source projects. Running an infected installer put in place the MBR-attacking malware rather than unpacking the legit app. On the next reboot, a message from the crew was displayed on the screen and the MBR scrubbed.

Once Peggle Crew was inside FossHub, it made sure to target the most popular applications hosted on the site to garner the most attention for themselves.

"Audacity and Classic Shell are the two most popular programs there, so those were the ones we made executables that mimicked the installers for," the crew said.

"After the initial wave when the administrators fixed the executables and locked the developer accounts in question, we replaced all the executables on their mirrors with a generic version of our MBR overwriter by using stolen FTP credentials."

After that, FossHub administrators were forced to take down the site for several hours to address the issue, and while nobody downloaded the infected Audacity installer, apparently, a few hundred people were infected with Peggle Crew's poisoned version of Classic Shell.

The crew admits that, while the attack was mostly done for fun, there was also a sense that exposing the flaw with a relatively benign infection (broken MBRs can be cleaned up fairly easily) could prevent a more nefarious attack from exploiting the same bug.

"The entry point was so obvious that it was only a matter of time before a ransomware author got to it (a la Transmission), and we didn't want that," Peggle Crew said.

The security breach is not going to be a one-off, either. We're told that prior to hijacking FossHub, Peggle Crew was behind such stunts as hacking the Twitter accounts of Beatles drummer Ringo Starr last February and the NFL in June.

"We've been around a while, so this is not the last you'll see of us," Peggle Crew says. "Unless the very angry dude in our Twitter mentions actually comes and kills us, that is." ®