Cisco Highlights Possible Exploit Vector Used in DarkLeech Web Server Attacks

Attackers are exploiting a vulnerability in a popular Website configuration tool to gain remote access to Web servers, Cisco researchers said in an advisory.

A malicious Webmail script exploited the Horde/IMP Plesk Webmail Exploit in vulnerable versions (CVE-2012-1557) of the Parallels Plesk control panel software, Craig Williams, technical leader at Cisco Security, wrote on the company blog. Attackers appear to be using an IRC botnet as part of the payload, Williams said.

Parallels Plesk Panel is a control panel application popular with cloud hosting providers and can be used to manage user websites. Attackers are exploiting a vulnerability, which was patched a year ago, in the control panel to successfully gain access to the Web server and upload malicious Apache modules, Williams said. The exploit allows attackers to inject malicious Perl script into the login page’s username field and successfully bypass authentication, he wrote.

“It is quite surprising how long old, well-known vulnerabilities continue to be exploited,” Williams said, noting that an updated patch for Parallels Plesk Panel had been released a year ago.

The malicious script Williams analyzed could easily be part of a wave of attacks enterprises are currently dealing with. . The malware’s infection and attack vectors mean it is possible researchers have stumbled on the answer of how DarkLeech was infecting Web servers. “These types of attacks could be one avenue used in the DarkLeech compromises,” Williams said.

Earlier this month, there were reports that Darkleech had infected around 20,000 Websitesover a period of few weeks. The number was estimated from almost 2,000 Darkleech infections Cisco Security researchers had identified. Infected machines were gathered into a large botnet capable of spreading more malware and launching denial of service attacks.

The infection takes a fairly simple path. Attackers somehow manage to gain root access to the Web server, and then infect the server with an sshd backdoor which allows attackers to remotely install malicious Apache modules, Cisco Security’s Mary Landesman said at the time. Once on the server, the malware dynamically injects iFrames onto Web pages as they are displayed to site visitors. The malicious iFrames directed users to other sites or loaded malicious content to compromise site visitors.

How the attackers were gaining root– brute-force, social engineering, and exploiting software vulnerabilities are all possibilities—remained a mystery, Landesman said.

The active exploit of this year-old vulnerability serves as an important reminder that website operators and administrators must keep systems up-to-date, Williams said. This means not just the operating system, but every program and add-on for those programs also needs to be kept up-to-date, he added.

This is particularly relevant if the hosting provider is somewhere far away, and not able to get on the network locally.



Comments are closed.