An open-source hosting panel software provider, Vesta Control Panel (VestaCP), has admitted that the company became a victim of a supply chain attack.
In an announcement made by VestaCP on its forum, it was revealed that the hacker managed to contaminate the source code of its project with DDoS malware. The malware was capable of recording passwords and can open shells as well as launch DDoS attacks.
In the forum post, a team member of the company stated that an already present bug in the API of an earlier version of VestaCP software was exploited by the attacker to infect the server. “Our infrastructure server was hacked. The hackers then changed all installation scripts to log admin password and [server IP].”
ESET researchers announced on 18 October that attackers were trying to exploit official VestaCP distribution to install Linux/ChachaDDoS malware onto the system. Moreover, researchers noted that the attackers had installed a /usr/bin/dhcprenew binary to open shell and also launch DDoS attacks. A warning was also issued to the VestaCP team regarding abnormal bandwidth usage.
A user Razza posted more information on the VestaCP forum about the attack:
“The attacker tried launching Linux/ChachaDDoS via SSH. It is not clear how the payload was dropped in the /var/tmp directory, but assuming the attacker already has the admin password, it would have been a trivial task.”
Currently, it is not clear how the supply chain was exploited but it is assured that the malware was found on new installations. It was, reportedly, present since May 2018 and had been launching attacks to compromise servers. VestaCP clients also reported abnormal bandwidth usage by their servers at the same time when the attacks were underway.
Sharp similarities between the persistence mechanisms of ChachaDDos malware and Xor.DDoS are evident. Either both have been developed by the same author or the author of ChachaDDos stole the code of Xor.DDoS.
A user claims after assessing the source code of VestaCP available on its official GitHub repository that the malicious code was added on May 31, 2018, and removed exactly after two weeks, i-e, on June 13. Attackers used the code to steal password of servers where the VestaCP was installed.
To avoid suspicion, attackers sent the passwords back to VestaCP’s official domain. The passwords were then used by the attacker to access compromised servers and to install Linux/ChachaDDoS. The malware seems to be a combination of code retrieved from various malware strains, most of which belong to XOR.
According to the analysis of Marc- Etienne M. Léveillé at ESET, the malware can perform a variety of functions but the attackers have only utilized its DDoS feature; he also observed that in some campaigns infected VestaCP servers were used to launch attacks against two IPs located in China.
After maintaining a disturbing silence on the issue, VestaCP finally admitted that a cyber-attack did occur. The company is working with Acturus, a Russian cyber-security firm, to assess the complaints from users that have been pouring in since mid-Sep. It has also released a patch with VestaCP 0.9.8-23 today to address the security flaws Acturus identified during its probe.
