[BreachExchange] Vesta control panel servers infected with DDoS malware after supply chain attack

Destry Winant destry at riskbasedsecurity.com
Wed Oct 24 00:13:55 EDT 2018


An open-source hosting panel software provider, Vesta Control Panel
(VestaCP), has admitted that the company became a victim of a supply
chain attack.

In an announcement made by VestaCP on its forum, it was revealed that
the hacker managed to contaminate the source code of its project with
DDoS malware. The malware was capable of recording passwords and can
open shells as well as launch DDoS attacks.

In the forum post, a team member of the company stated that an already
present bug in the API of an earlier version of VestaCP software was
exploited by the attacker to infect the server. “Our infrastructure
server was hacked. The hackers then changed all installation scripts
to log admin password and [server IP].”

ESET researchers announced on 18 October that attackers were trying to
exploit official VestaCP distribution to install Linux/ChachaDDoS
malware onto the system. Moreover, researchers noted that the
attackers had installed a /usr/bin/dhcprenew binary to open shell and
also launch DDoS attacks. A warning was also issued to the VestaCP
team regarding abnormal bandwidth usage.

A user Razza posted more information on the VestaCP forum about the attack:

“The attacker tried launching Linux/ChachaDDoS via SSH. It is not
clear how the payload was dropped in the /var/tmp directory, but
assuming the attacker already has the admin password, it would have
been a trivial task.”

Currently, it is not clear how the supply chain was exploited but it
is assured that the malware was found on new installations. It was,
reportedly, present since May 2018 and had been launching attacks to
compromise servers. VestaCP clients also reported abnormal bandwidth
usage by their servers at the same time when the attacks were

Sharp similarities between the persistence mechanisms of ChachaDDos
malware and Xor.DDoS are evident. Either both have been developed by
the same author or the author of ChachaDDos stole the code of

A user claims after assessing the source code of VestaCP available on
its official GitHub repository that the malicious code was added on
May 31, 2018, and removed exactly after two weeks, i-e, on June 13.
Attackers used the code to steal password of servers where the VestaCP
was installed.

To avoid suspicion, attackers sent the passwords back to VestaCP’s
official domain. The passwords were then used by the attacker to
access compromised servers and to install Linux/ChachaDDoS. The
malware seems to be a combination of code retrieved from various
malware strains, most of which belong to XOR.

According to the analysis of Marc- Etienne M. Léveillé at ESET, the
malware can perform a variety of functions but the attackers have only
utilized its DDoS feature; he also observed that in some campaigns
infected VestaCP servers were used to launch attacks against two IPs
located in China.

After maintaining a disturbing silence on the issue, VestaCP finally
admitted that a cyber-attack did occur. The company is working with
Acturus, a Russian cyber-security firm, to assess the complaints from
users that have been pouring in since mid-Sep. It has also released a
patch with VestaCP 0.9.8-23 today to address the security flaws
Acturus identified during its probe.

More information about the BreachExchange mailing list