Cyber Incident Victim: Linux Australia
Date:
Mar 2015
Location:
Australia
Summary
A malicious actor exploited an unknown vulnerability to gain root access to Linux Australia's conference management server, installing remote access tools and botnet command-and-control software. During the breach, automated database backups containing attendees' personal information—including names, physical/email addresses, phone numbers, and hashed passwords—were executed, though no evidence confirmed data exfiltration. The organization responded by isolating compromised systems, decommissioning the affected server, and implementing enhanced security measures including key-based authentication, centralized logging with anomaly detection, and stricter service restrictions on replacement infrastructure. Financial data remained secure as credit card processing occurred through a third-party gateway not involved in the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 22, 2015, between 0400 and 0600 Australian Eastern Daylight Time (AEDT), an attacker compromised Linux Australia's conference management server hosting the Zookeepr application. The server supported linux.conf.au events from 2013 to 2015 and PyCon Australia conferences from 2013 to 2014. The attacker exploited an unidentified vulnerability to trigger a remote buffer overflow, obtaining root-level access to the system. During the intrusion, the individual installed remote access tools and botnet command-and-control software, then rebooted the server to load these components into memory. Automated backup processes executed during the breach period dumped conference registration databases to disk, potentially exposing attendees' first and last names, physical addresses, email addresses, phone numbers, and hashed passwords. Linux Australia confirmed no financial data was compromised, as credit card processing occurred through a third-party gateway that only returned payment status codes to Zookeepr. The breach was detected on March 24 when administrators investigated anomalous error emails generated during code deployments between 0600 and 1100 AEDT on March 22, though these alerts were initially mistaken for routine network issues.
Linux Australia's three-person Admin Team activated their segmented response protocol upon discovery, with two members conducting a collaborative forensic analysis while a third performed an independent assessment. Immediate containment measures included suspending all non-admin accounts on the compromised server, removing attacker-installed init scripts, and deploying the rkhunter security scanner. Investigators reviewed shell history files—unaltered by the attacker—to reconstruct intrusion activities, while multiple system reboots purged malicious software from memory. The organization decommissioned the affected hardware and migrated PyCon Australia 2015 to a newly built host implementing stricter security controls: key-based authentication replaced password logins, internet-facing services were restricted, and operating system updates were scheduled more rigorously. Additional safeguards included duplicating logs to a centralized analysis server, automatic expiration of user accounts three months post-conference (extended to 24 months for PyCon Australia), and archiving conference databases to isolated servers six months after events concluded. Although no evidence confirmed data exfiltration, Linux Australia notified attendees of potential exposure and advised password changes for accounts sharing credentials with their conference systems, while seeking collaboration with Australian computer emergency response teams to identify the initial attack vector.