Emmentaler pigeonholes

Emmental is a type of Swiss cheese that melts well and features a nutty, buttery flavor. It's one of two main kinds of cheese used for making fondue. Emmental has walnut-sized holes. The internet is like that. With extra holes.


ChachaDDoS is a relatively new strain of malware used to wage denial-of-service attacks on other sites. The malware offers a variety of advanced features, including ways to prevent administrators from easily finding it on servers and analysing it. It runs on 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC. Researchers from Sophos described it as part of a newly discovered DDoS botnet they call Chalubo.

→


October 2018, an altered installation script for the VestaCP control-panel interface was found by ESET. The interface is used by system administrators to manage servers. The altered script reports back generated admin credentials. An Internet scan from Censys shows that there are more than 132,000 unexpired related TLS certificates.

  • The hack most likely started by exploiting a critical vulnerability on the VestaCP server.
  • Attackers added the password-sniffing functions to the installation source code. VestaCP software already contained code sending statistical information from user servers back to the vestacp.com website. The hackers simply added code to include encoded passwords.
  • The hackers retrieved the passwords from the VestaCP server.
  • Using SSH, the attackers infected the with the passwords gained servers with ChachaDDoS, a relatively new strain of malware.

The modified installation script was visible in the VestaCP source code management on GitHub between May 31 and June 13. And this is from April, long before May, and this is a snapshot of continued problems from September, well after June.


October 2018 the PyPI repo is found tainted again. Colourama, when run on Windows servers, adds a script which monitors the server’s clipboard for signs that a user is about to make a cryptocurrency payment and if so, diverts the payments from the wallet address contained in the clipboard to an attacker-owned wallet. Bertus reports it has probably been downloaded 55 times, and is possibly in use in software that has incorporated it.

→


It all began when attackers compromised the M.E. Doc update server and sent NotPetya to unsuspecting victims. XDATA ransomware was also distributed via M.E. Doc in June 2017 and possibly as early as April. Malwarebytes estimated that, conservatively, we are looking at a number at least in the tens of thousands of systems infected (a significant percentage of which reside in the Ukraine). in the wiper attack - it is impossible for the attackers to decrypt victims' disks, even if they pay the ransom fee. Symantec published a chart.

The Ukranian power grid and other key assets have been the frequent target of Russian state-sponsored hackers. A number of Ukrainian officials laid blame at Russia’s feet.

→


The official repository for the widely used Python programming language PyPI was tainted with modified code packages that had been downloaded by unwitting developers who incorporated them into software for three months.

  • The packages functioned as normal but the added code was executed as soon as a developer or system administrator installed the package (administrator privileges).
  • The executed code was apparently only used to report name and version of the fake package, user name of the user who installed the package, and hostname (with a HTTP request to a remote server at

The attack was made easier by pip not requiring the cryptographic signature and executing arbitrary code during package installation.

The incident resembles an attack carried out in June 2016 in a research experiment in which Hamburg student Nikolai Philipp Tschacher uploaded packages to PyPI and two other repositories.

→


Attackers modified at least five software packages distributed by network connectivity and server management solutions provider NetSarang in order to infect its business users with modular backdoor spyware. A financial institution detected suspicious DNS requests on systems related to the processing of financial transactions and contacted Kaspersky Lab.

Kaspersky reported that the ShadowPad files delivered an encrypted payload capable of remotely downloading and executing arbitrary code, uploading files, creating processes, and storing data in a virtual file system contained within the victim’s registry. The injection worked in a similar way as the CCleaner injection:

  • Using a tiered architecture that stops the backdoor from activating until a designated command-and-control (C&C) server sends a specially crafted DNS TXT record for a specific domain. The attackers implemented a domain generation algorithm for these C&C servers.
  • If the data sent during the DNS request wass interesting, the Command and Control (C&C) servers respond and activate the backdoor.
  • Once the payload was activated, the module exchanged data with the server, which sent backs a decryption key for the next stage of the code.
  • With the backdoor activated, attackers could upload files, create processes, and store information in a VFS contained within the victim’s registry. The VFS and any additional files created by the code were encrypted and stored in locations unique to each victim.

Some of the techniques used were also used to spread the PlugX remote access tool and Winnti backdoor programs, allegedly developed by Chinese-speaking authors.

→

Older entries >>