Cisco Warns Of Ongoing Attacks Targeting Dangerous Flaw


A website control panel popular with cloud hosting providers is being actively targeted by attackers according to Cisco, which said a patch for the vulnerability has been available for a year.

A Cisco researcher has analyzed a malicious webmail script used in a spate of attacks targeting the Parallels Plesk Panel. By injecting malicious Perl script into the username field, successful attackers are able to bypass authentication and upload files to the targeted server, according to Craig Williams, a technical leader at Cisco.

In a warning issued on the Cisco security blog, Williams said attackers appear to be using an IRC botnet as the payload. Williams said the script he analyzed could be part of a wave of attacks targeting Apache, one of the most widely used Web server software.

[Related: Mass WordPress Attacks Spread, Brute-Forcing Admin Passwords]

"Left unpatched, this bug and others like it will likely continue to be exploited for years to come. Only time will tell what other payloads may be installed," Williams wrote. "These types of attacks could be one avenue used in the DarkLeech compromises."

DarkLeech, an automated attack toolkit has reportedly successfully infected 20,000 websites, targeting Apache implementations and turning them into a broader botnet, capable of spreading malware or carrying out denial-of-service attacks. Ars Technica was the first to report on the attacks earlier this month.

The problem is serious because the potentially vulnerable control panel is used by hosting or service providers that maintain a large number of virtualized environments for people to manage. Williams told CRN that the problem could be particularly alarming if the attackers leverage the power of the infected Web servers as a botnet in distributed denial-of-service attacks. Many sites would be unprepared to handle the massive flood of UDP traffic aimed at them, Williams said in an interview with CRN.

"The fact that this vulnerable control panel server is still installed at the hosting companies shows that there is some limited visibility and management capabilities at some of these companies," Williams said. "This isn't the only vulnerability; anyone running this version is probably compromised in several different ways."

The Web servers are infected with an SSHD backdoor that allows attackers to set up drive-by attacks on otherwise legitimate websites. The latest attacks appear to be financially motivated, however, with malware pointing to the Black Hole automated attack toolkit and malware that spreads fake antivirus software and the ZeroAccess rootkit.

The vulnerability is in a third-party Horde webmail plugin for Plesk 9.3 and earlier and not in the Plesk control panel itself, according to a Parallels spokesperson. The Plesk versions are no longer supported, but a patch was issued in February 2012. The software maker encourages customers to keep systems fully patched and subscribe to support emails.

"Parallels takes the security of its partners very seriously and regularly advises partners about how they can protect themselves against new threats," the spokesperson said.

The cybercriminals behind the attacks are using techniques that make it a difficult problem to address, according to Mary Landesman, a senior security researcher at Cisco. From checking IP addresses to black listing search engine spiders, the attackers gain control of the site to evade detection.

Williams said the Perl script he examined appears to have been around for years and discussed in PHP exploit groups. The latest version appears to be code copied from several different scripts, Williams said.

Website administrators must address remotely detectable vulnerabilities, Williams said. The problem is more widespread among third-party components used to add functionality to websites. Content management systems and their third-party components are often left vulnerable, despite security updates issued by software makers, he said.

PUBLISHED APRIL 24, 2013

This story was updated on April 24, 2013, at 1:42 p.m. PST, to include comments made after press time by Cisco's Craig Williams.

This story was updated on April 24, 2013, at 4:02 p.m. PST, to include comments from Parallels' spokesperson made after press time.