Compromised Download Partner

Compromised Download Partner

For about 3 hours on August 2nd 2016 our download server was serving a hacked copy of Audacity that contained malware. This was due to hackers obtaining the password of one of our developers and using it to upload the malware.

We have now replaced the 2.1.2 hacked windows installer and disabled that hacked account on FossHub.com – We are taking the incident very seriously indeed. We are working hard, in collaboration with FossHub.com, to do what we can to help prevent such an incident in future. In many ways Audacity is a soft target for hackers – and attractive as a target because of the large number of downloads.

We are a community of developers, documentation writers, support and help people, not a commercial outfit with a dedicated security team with strong security protocols. We did not have the right safeguards in place, namely, to monitor external files.  We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organisation.

We are really sorry that we let you down. If you were hit by this malware download, please accept our sincere apologies. We are now doing our best to learn from it, even if the cost to us is some loss of the community spirit.

James Crook (on behalf of the Audacity team).
August 3rd 2016.

UPDATE by FOSSHUB.COM, 2016-08-03, 11.10am GMT:

Last night we had a security incident caused by a group of hackers that allowed them to log-in to FossHub developer *through* an user that was compromised. Shortly after, we noticed two users that were compromised. They simply logged-in using their passwords and this allowed them to escalate.

The attackers uploaded a malware file on Classic Shell page which was downloaded approximately 300 times. We removed the file in several minutes and we changed all passwords for all services we had.

They targeted the largest projects listed on FossHub: Audacity and Classic Shell. We reacted promptly for Audacity installer but for Classic Shell, several hundred users were able to download the malware infected version.

We have been in contact with Google, PNAP and other providers.

Several hours later, we noticed the attackers were able to gain access through an FTP account and we decided to shut down the main server immediately to prevent any further infection/damage.

FossHub.com is down on purpose until we are able to identify the way hackers were able to escalate.

Therefore, we are currently in the process of reinstalling everything, change all access rights, passwords and run up under new security rules.

The attackers tried to gain access to DNSMadeEasy (our DNS provider), to CloudFlare, personal emails, CDN services etc. The login-logs shows no successful logins, only FAILED attempts.

To keep this short, we will keep all services down until further notice.

I would like to say that we “apologize” but I would lie not to admit it is the worst day ever for me (personally) and all FossHub team members.

After this incident, everything will change on our side. I am disappointed that despite of trying to build the image of one of the cleanest sites on the web we are here.

I will email everyone after we are back, now we are under a pile of work, thank you!

Regards, Sam – FossHub

UPDATE BY Audacity Team’s Security Group – 2016-08-03 11:15 GMT:

We can confirm that, except for one external developer account on FossHub.com, no Audacity Team infrastructure was compromised.

Classic Shell and Audacity windows .exe downloads were replaced by the attacker[s] with an MBR-overwriting trojan.

Some tips for safer downloading:

Install Antivirus and Firewalls. We cannot make recommendations, but you can review this website: http://www.av-comparatives.org/

You can also verify ALL files you download using https://virustotal.com/, which provides a multi-antivirus URL and File verification service.

Also, please make sure deceptive advertisement do not trick you into clicking them, making you believe they will provide the download file you were looking for. Review the entire web page before clicking on anything. Especially deceptive Advertising. We support the Advertising industry, but not the Malware Industry.

If you have any doubts or questions, please feel free to contact us.

UPDATE from Audacity Team Security Group – 20160803-12:54 GMT:

Oldfoss.com was also compromised. Audacity Team contacted FossHub.com to let them know. Site www.oldfoss.com has been put offline.

In the news: Reporting on the Breach

This news item at softpedia is one of the more informative about the breach.