Feedback Friday Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cisco Highlights Possible Exploit Vector Used in DarkLeech Web Server Attacks

Attackers are exploiting a vulnerability in a popular Website configuration tool to gain remote access to Web servers, Cisco researchers said in an advisory.

Attackers are exploiting a vulnerability in a popular Website configuration tool to gain remote access to Web servers, Cisco researchers said in an advisory.

A malicious Webmail script exploited the Horde/IMP Plesk Webmail Exploit in vulnerable versions (CVE-2012-1557of the Parallels Plesk control panel software, Craig Williams, technical leader at Cisco Security, wrote on the company blog. Attackers appear to be using an IRC botnet as part of the payload, Williams said.

Parallels Plesk Panel is a control panel application popular with cloud hosting providers and can be used to manage user websites. Attackers are exploiting a vulnerability, which was patched a year ago, in the control panel to successfully gain access to the Web server and upload malicious Apache modules, Williams said. The exploit allows attackers to inject malicious Perl script into the login page’s username field and successfully bypass authentication, he wrote.

“It is quite surprising how long old, well-known vulnerabilities continue to be exploited,” Williams said, noting that an updated patch for Parallels Plesk Panel had been released a year ago.

The malicious script Williams analyzed could easily be part of a wave of attacks enterprises are currently dealing with. . The malware’s infection and attack vectors mean it is possible researchers have stumbled on the answer of how DarkLeech was infecting Web servers. “These types of attacks could be one avenue used in the DarkLeech compromises,” Williams said.

Earlier this month, there were reports that Darkleech had infected around 20,000 Websites over a period of few weeks. The number was estimated from almost 2,000 Darkleech infections Cisco Security researchers had identified. Infected machines were gathered into a large botnet capable of spreading more malware and launching denial of service attacks.

The infection takes a fairly simple path. Attackers somehow manage to gain root access to the Web server, and then infect the server with an sshd backdoor which allows attackers to remotely install malicious Apache modules, Cisco Security’s Mary Landesman said at the time. Once on the server, the malware dynamically injects iFrames onto Web pages as they are displayed to site visitors. The malicious iFrames directed users to other sites or loaded malicious content to compromise site visitors.

How the attackers were gaining root– brute-force, social engineering, and exploiting software vulnerabilities are all possibilities—remained a mystery, Landesman said.

The active exploit of this year-old vulnerability serves as an important reminder that website operators and administrators must keep systems up-to-date, Williams said. This means not just the operating system, but every program and add-on for those programs also needs to be kept up-to-date, he added.

This is particularly relevant if the hosting provider is somewhere far away, and not able to get on the network locally.

Related: ‘Darkleech’ Malware Infects 20,000 Legitimate Apache Powered Sites

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.