VestaCP compromised in a new supply-chain attack

guest · Oct 18, 2018

VestaCP compromised in a new supply-chain attack
Customers see their admin credentials stolen and their servers infected with Linux/ChachaDDoS
October 18, 2018
https://www.welivesecurity.com/2018...alware-distributed-servers-vestacp-installed/

In the last months, there have been numerous users of VestaCP, a hosting control panel solution, receiving warnings from their service provider that their servers were using an abnormal amount of bandwidth. [...] At the same time this week, we found out that the VestaCP website was compromised, enabling a supply-chain attack
Infection vector
[...] During the installation, VestaCP creates a user named “admin” that has sudo privileges. How could the attacker have known the password for this admin user?

User “Falzo” also dug in the code and found out something even more interesting: some versions of the installation script are leaking the admin password and server name to vestacp.com, the official website of VestaCP. [...]
Conclusion
This incident is also a reminder that just because software is open source does not provide a 100% warranty that the software is safe. Malware can still make its way in. The malicious credential-stealing code was right there, for everyone to see on GitHub, for multiple months before it was spotted.
Click to expand...

Minimalist · Nov 27, 2018

Widely used open source software contained bitcoin-stealing backdoor

A hacker or hackers sneaked a backdoor into a widely used open source code library with the aim of surreptitiously stealing funds stored in bitcoin wallets, software developers said Monday.

The malicious code was inserted in two stages into event-stream, a code library with 2 million downloads that’s used by Fortune 500 companies and small startups alike. In stage one, version 3.3.6, published on September 8, included a benign module known as flatmap-stream. Stage two was implemented on October 5 when flatmap-steam was updated to include malicious code that attempted to steal bitcoin wallets and transfer their balances to a server located in Kuala Lumpur. The backdoor came to light last Tuesday with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn’t issue an advisory until Monday, six days later.
Click to expand...

https://arstechnica.com/information...y-used-open-source-software-to-steal-bitcoin/

guest · Nov 28, 2018

Minimalist said: ↑

Widely used open source software contained bitcoin-stealing backdoor

https://arstechnica.com/information...y-used-open-source-software-to-steal-bitcoin/
Click to expand...

Distributing Malware By Becoming an Admin on an Open-Source Project
November 28, 2018
https://www.schneier.com/blog/archives/2018/11/distributing_ma.html

The module "event-steam" was infected with malware by an anonymous someone who became an admin on the project.

Cory Doctorow points out that this is a clever new attack vector:

Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lot of new bugs being found, and the contributors to these projects dwindle
[...]
This presents a scary social-engineering vector for malware: A malicious person volunteers to help maintain the project, makes some small, positive contributions, gets commit access to the project, and releases a malicious patch, infecting millions of users and apps.
Click to expand...

Log in or Sign up

VestaCP compromised in a new supply-chain attack

guest Guest

Minimalist Registered Member

guest Guest

Log in or Sign up

VestaCP compromised in a new supply-chain attack

guest Guest

Minimalist Registered Member

guest Guest

Useful Searches