Most of us don’t think twice about installing software or updates from a trusted developer. We scrutinize the source site carefully to make sure it’s legitimate, and then we let the code run on our computers without much more thought. As developers continue to make software and webpages harder to hack, blackhats over the past few years have increasingly exploited this trust to spread malicious wares. Over the past week, two such supply-chain attacks have come to light.
The first involves VestaCP, a control-panel interface that system administrators use to manage servers. This Internet scan performed by Censys shows that there are more than 132,000 unexpired TLS certificates protecting VestaCP users at the moment. According to a post published last Thursday by security firm Eset, unknown attackers compromised VestaCP servers and used their access to make a malicious change to an installer that was available for download.
Poisoning the source
“The VestaCP installation script was altered to report back generated admin credentials to vestacp.com after a successful installation,” Eset Malware Researcher Marc-Étienne M.Léveillé told Ars. “We don’t know exactly when this happened, but the modified installation script was visible in their source code management on GitHub between May 31 and June 13.” VestaCP developer Serghey Rodin told Ars his organization is working with Eset to investigate the breach to better understand the attack.