The Fail @Potemkine!
I am also a Linux user who has posted here about no OS being completely secure, but I'm afraid that you just pointing to the CVE database with a search term of Linux does not answer the ACs request for how this particular piece of malware got onto the system.
If you look through all of the CVE database of known vulnerabilities for Linux, the overwhelming majority of them detail problems after someone has already gained access to a system. Yes, not all of them, but you can bet your last dollar on all of the remote access problems having patches produced very quickly. Whether they're applied...
SSH is a common vector of attack, as it is almost certainly turned on for almost all Linux systems, so this is one that needs to be understood. But reading the papers referenced, they make no mention of how the systems were initially compromised, other than the fact that some of the sites appeared to be running old levels of software, which probably contain unpatched vulnerabilities.
But the one method that is mentioned is that one of the libraries loaded by sshd is compromised to inject code that is then run by sshd, and the /usr/bin/sshd binary is then replaced. If the site was using tripwire or another similar facility, this should be detected quite quickly.
Both of these operations require the attacker to gain a privileged process on the target, so this indicates either a remote root vulnerability, a method of obtaining a unprivileged process plus a privilege escalation vulnerability, or some seriously lax system administration.
in fact, the papers comment on what Kobalos can do when it is on the system, but little about how it gets on to the system.
I suspect (and this is pure guess work based on experience) that this has been a multistage attack. I would guess that one user's account was accessed through some means such as social engineering, then this account was used to steal that users SSH private keys. Because the HPC community is fairly well connected, it is possible that the same private keys were used to access several HPC sites (because of poor credential management by the initial user), and once in, an unpatched privilege escalation was then used to inject a credential stealer into sshd that then gathered information from all of the users of that system, and then on to other systems using the same model of attack.
This type of attack is difficult to stop, because once private SSH keys have been leaked, especially if they are used on multiple systems, they are difficult to prevent being used except by a wholesale change of key pairs. This is why it is vitally important to use different keys for different systems, and to store the private keys in as few places as is absolutely needed. Also, keep your systems, especially those exposed directly to external users, patched and up-to-date!
This problem is not unique to SSH keys, but many users (especially in the scientific community) are very bad at following any best practice that makes it more difficult for them to do their work (I worked supporting a top 100 HPC site, I know from personal experience!)
I also suspect that this particular problem is pretty much contained within the scientific and HPC environments,
Biting the hand that feeds IT
