The timeline suggests this is a patient hacker. The most patient of which are nation-states because they're not worried about cashflow and think in terms of years.
Makes one wonder how many instances of this goes unnoticed. Maybe this attacker got sloppy, but how many of them don't? We were lucky that one person noticed suspicious behavior and had the technical skills and patience to investigate, but how many of us don't?
this attacker did not get sloppy, they got control of a critical piece of free software, and got a still-not-fully-understood piece of malware in to, past whatever peer review we like to imagine we have, then got it uploaded into at least two critical linux distributions, past whatever peer review we like to imagine we have, and was only found, two years in to the operation, by pure luck and a very dedicated engineer.
It was actually found less than two months after it was introduced in 5.6.0. Now, the attacker maintained the project for 2 years before that, and we don't know what else they inserted, but the known vulnerability was only in a release since February.
Undoubtedly they do. This is an example of why defence in depth is important. Things fail all the time for intentional and non-intentional reasons. A single point of failure can’t be allowed.
It wasn't sloppy. It was just luck that someone noticed a half a second extra latency on the second connection of a newly run sshd process and went down the rabbit hole. Had they just shrugged and moved onto more "important" tasks/deliverables, it would most likely have landed in production across the world.
I don’t think it was luck. I think some people are so in tune with their systems that investigating an anomaly like this is a frequent occurrence. This particular anomaly just happened to have an explosive ending.
Yes, I have met Andres in real life and I can totally believe that he is that in tune with his system. He wrote that he found this while benchmark PostgreSQL and saw weird load from ssh. He does a lot of benchmarking of PostgreSQL patches.
But I would say it was also luck. If Andres hadn't been benchmarking on Debian Testing (or whatever system he found this on) this might have taken longer time to discover.
It may not sound sloppy if you are used to todays apps and websites but half a second is an eternity in CPU time. Half a second is also very much a significant amount of time compared to normal ssh connection times with low network latency - if not Freund then someone else would have noticed, complained and this would have eventually been investigated. The only luck part here is it taking less than two months for this to happen but the attacker could have prevented this avenue for detection entirely by optimizing the exploit not to slow down the ssh proces.
