1024社区 | 1024.day

CloudCone被黑，服务器失联，黑客要求支付赎金恢复数据 https://www.nodeseek.com/post-600738-1

这份报告描述了一个安全事件，涉及到通过勒索病毒攻击特定平台上的虚拟机（VM）。以下是总结：

发生了什么：

初步观察：监控系统检测到多个虚拟机失去网络连接，并在启动时显示勒索信息。

立即行动：受影响的服务器被隔离，工程师开始调查。发现受影响虚拟机的启动扇区被勒索信息覆盖。正在通过检查原始块设备、重建分区表和寻找完整的文件系统等方式恢复数据。

攻击是如何发生的：

远程脚本执行：攻击者通过一个远程的 bash 脚本在所有受影响节点上执行攻击。该脚本现在无法访问，且主机上的 shell 历史记录被清除。没有发现未经授权的 SSH 访问，因为所有用户的登录记录与已知的内部账户匹配。

利用 Virtualizor 漏洞：调查发现攻击是通过 Virtualizor 的“Server Terminal”功能进行的，攻击者利用该功能获取了连接节点的 shell 访问权限。该方法不使用 SSH，因此没有 SSH 连接的痕迹，且 root 登录不在节点上记录，这也解释了为什么之前没有发现异常。

影响范围：

受影响的系统：只有连接到单一 Virtualizor 实例的节点受到了影响，其他平台未受影响。

数据安全： Virtualizor 平台上没有存储用户的个人或账单信息，调查也未发现客户数据库或账单系统被访问或泄露的证据。

后续计划：

公司正在进行恢复工作，并会向受影响的客户发送邮件。对给所有受影响的客户带来的不便表示歉意。

简而言之，攻击者利用 Virtualizor 平台的漏洞，通过“Server Terminal”功能获得了未授权的访问权限，导致了勒索病毒攻击。

Hello,

We acknowledge the incident that has happened today

What We First Observed
We were initially alerted to the incident when our monitoring systems detected that several VMs lost network connectivity. Upon investigating, we found ransom messages being displayed at boot on all of the affected VMs.

Our engineering teams immediately isolated the affected servers and began analysis. During the investigation, we confirmed that the boot sectors of impacted VM disks had been overwritten with the ransom message. We are attempting to recover the data by various means including examining raw block devices, reconstructing partition tables, and searching for intact filesystems.

How the Attack Was Executed
Meanwhile, the team investigating the breach discovered that a remote bash script (which is no longer accessible) had been executed across all affected nodes. Shell histories on those hosts had also been cleared. We performed a thorough review of authentication activity using system journals, rotated log files, login records and auditing data and found no evidence of unauthorized SSH access. All recorded user logins matched known internal accounts.

At this point, we started looking into other infrastructure that could have facilitated this attack and discovered that logs of one of our Virtualizor instances had been cleared from around the time of the incident. This is the Virtualizor instance that all of the affected nodes are connected to.

At this time, based on the available evidence, we believe that the attackers used the "Server Terminal" functionality within Virtualizor to gain shell access to connected nodes and execute the malicious script. This access method does not use SSH, which explains the lack of evidence relating to SSH connectivity, and we also discovered that this doesn't leave any login records on the nodes (all root level logins are also alerted via emails), explaining why we didn't find anything out of the ordinary earlier.

Scope of Impact
We use Virtualizor instances to support our VPS services. At this time, we have confirmed that only nodes connected to a single Virtualizor instance were impacted. Nodes attached to our other platforms were not affected.

We also do not store personal or billing information of our users within virtualization platforms such as Virtualizor. Our investigation has found no evidence that customer databases or billing systems were accessed or compromised.

We are currently working on the way forward, and all affected clients shall be emailed, and we apologize for the inconvenience this has caused to all our affected clients.

4.8K views11:44