The homepage of the OpenSSL Project was attacked by hackers around 8 pm EST on December 29 but the website depended upon by those who want to maintain secure communications for mobile apps, web servers and other software products, clarified that it was only defaced.
The damage done by alleged Turkish hacker group known as TurkGuvenligiTurkSec, did not reach the code library of OpenSSL and was purely visual. Those who visited Openssl.org only saw "TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl_" on the homepage.
OpenSSL was able to fix its website just two hours after the defacement started. Its administrators also immediately executed its protocol for recovery and investigation. The latest update released by OpenSSL revealed that the security weakness on a hypervisor was used by the attackers.
"The OpenSSL server is a virtual server which shares a hypervisor with other customers of the same ISP. Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server. The source repositories were audited and they were not affected," read the OpenSSL statement.
"Other than the modification to the index.html page no changes to the website were made. No vulnerability in the OS or OpenSSL applications was used to perform this defacement. Steps have been taken to protect against this means of attack in the future," it added.
After an update from OpenSSL on January 1, VMWare released a statement the following day to protect the integrity of the company's ESX Server.
"The VMware Security Response Center has actively investigated this incident with both the OpenSSL Foundation and their Hosting Provider in order to understand whether VMware products are implicated and whether VMware needs to take any action to ensure customer safety. We have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error," explained VMware product security senior director Iain Mulholland in a blog post.
While OpenSSL and VMware did not disclose the name of the service provider, reports point to IndIT Hosting based in Sweden. Not much damage was done on OpenSSL's end but poor password habits at the hosting provider's end is a big red flag for its potential clients.