Cyber Incident Victim: Vesta Control Panel
Date:
May 2018
Location:
Russia
Summary
A web hosting control panel's infrastructure was compromised, allowing attackers to modify installation scripts and steal administrator passwords and server IP addresses. The malicious code enabled credential harvesting, which facilitated server access to deploy Linux/ChachaDDOS malware designed for launching distributed denial-of-service attacks, primarily targeting Chinese IP addresses and triggering alerts from cloud providers due to abnormal bandwidth consumption. Following user reports, the developers released a security update and a diagnostic tool while advising password resets and removal of malicious binaries. The incident damaged the platform's reputation, prompting some users to migrate to alternative solutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Vesta Control Panel (VestaCP) incident began when attackers compromised the project's infrastructure server on or around May 31, 2018. The attackers modified installation scripts within the official VestaCP GitHub repository to secretly log administrator passwords and server IP addresses during panel installations. This malicious code remained active for approximately two weeks before being identified and removed on June 13. Security researchers later determined that attackers used these stolen credentials to gain unauthorized access to servers running VestaCP software. Once inside victim systems, the attackers deployed a previously unseen malware strain identified by ESET as Linux/ChachaDDOS, which combined code elements from XOR and other known DDoS malware families.
The malware's primary function involved launching distributed denial-of-service (DDoS) attacks, with ESET researcher Marc-Etienne M. Léveillé documenting specific campaigns targeting two Chinese IP addresses. Compromised servers became detectable through abnormal bandwidth consumption patterns flagged by cloud providers. User reports of suspicious server behavior began emerging on forums and social media platforms in mid-September 2018, nearly four months after the initial compromise. The VestaCP development team publicly acknowledged the breach through a forum post confirming their infrastructure had been hacked and subsequently partnered with cybersecurity firm Acturus Security to investigate. Remediation efforts included releasing patched version VestaCP 0.9.8-23 to address security vulnerabilities and distributing a diagnostic tool for users to check infection status. Affected parties received instructions to change administrator credentials and remove a malicious binary file from their systems. Despite these corrective measures, the incident damaged VestaCP's reputation within the web hosting community, prompting some users to migrate to alternative control panel solutions including project forks. The malware's DDoS activities ceased following containment actions, though the exact number of compromised servers remained unspecified in available reports.