Level 30
Feb 4, 2016
Operating System
Windows 8.1
Customers see their admin credentials stolen and their servers infected with Linux/ChachaDDoS

In recent months, there have been numerous users of VestaCP, a hosting control panel solution, receiving warnings from their service provider that their servers were using an abnormal amount of bandwidth. We know today that these servers were in fact used to launch a DDoS attacks. The analysis of a compromised server has shown that malware we call Linux/ChachaDDoS is installed on the system. At the same time this week, we found out that the VestaCP website was compromised, resulting in a supply-chain attack on new installations of VestaCP since at least May 2018. Linux/ChachaDDoS has some similarity with Xor.DDoS but unlike this older family, it has multiple stages and uses Lua for its second and third stage components.

Infection vector
According to user “Razza” on VestaCP forum, the attacker tried launching Linux/ChachaDDoS via SSH. It is not clear how the payload was dropped in the /var/tmp directory, but assuming the attacker already has the admin password, it would have been a trivial task. During the installation, VestaCP creates a user named “admin” that has sudo privileges. How could the attacker have known the password for this admin user?
... ... ...