After a few days of speculations fuelled by a not clear enough explanation, the OpenSSL Foundation has confirmed that the late December defacement of its Openssl.org website happened because of insecure passwords, and not a vulnerability in VMware software.
The website was defaced on December 29 by a group of Turkish hackers who, as it seems, have changed the site’s main page to prove that they could and to gain a reputation.
“Other than the modification to the index.html page no changes to the website were made,” the latest notice by OpenSSL says. “No vulnerability in the OS or OpenSSL applications was used to perform this defacement. The source repositories were audited and they were not affected.”
After the company initially stated that the attack was executed via a hypervisor, security experts feared that a zero-day vulnerability in VMware software was exploited.
But VMware was quick to react and reassure them by saying that “the VMware Security Response Center has actively investigated this incident with both the OpenSSL Foundation and their Hosting Provider,” and that they “have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error.”
“The OpenSSL server is a virtual server which shares a hypervisor with other customers of the same ISP,” the OpenSSL Foundation finally confirmed on Friday. “Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server.”
“Steps have been taken to protect against this means of attack in future,” they added.