Vaserv.com Webhosting Firm Hack Wipes Out Data For 100,000 Websites Due To Vulnerable Application By LXLabs
A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application.
Technicians at UK-based Vaserv.com were still scrambling to recover data on Monday evening UK time, more than 24 hours after unknown hackers were able to gain root access to the company’s system. The attackers were able to penetrate his servers by exploiting a critical vulnerability in HyperVM, a virtualization application made by a company called LXLabs. Vaserv.com got hit by a zero-day exploit in version 2.0.7992 of the HyperVM application.
No one could receive a response to inquiries sent to LXLabs company, which according to its website is located in Bangalore.
Data for about half of the websites hosted on Vaserv was destroyed all at once sometime Sunday evening, shortly after administrators noticed “strangeness” on the system. The attackers had the ability to execute sensitive Unix commands on the system, including “rm -rf,” which forces a recursive delete of all files.
Some 50 percent of Vaserv’s customers signed up for unmanaged service, which doesn’t include data backup. It remains unclear of those website owners will ever be able to retrieve their lost data. As a result, at least half the websites that were hosted on the site remain offline.
“Since last night, I’ve had probably 40 phone calls from clients saying ‘Why is my website down,’” said Daniel Voyce, a web developer for Nu Order Webs who uses Vaserv to host customer sites. “It’s making me look bad.”
Voyce said the hackers, given the high level of server access they gained, were likely able to intercept a wealth of sensitive data stored on Vaserv’s servers. Voyce said his customers are safe because all sensitive information was encrypted.
Little is known about the people who attacked the site. So far, there are no known reports of individuals taking credit for the hack. The breach was likely the result of a SQL injection attack that penetrated Vaserv’s central management software and removed vital binaries and data for about half of all user data stored by the service.
Vaserv specializes in low-cost web hosting using VPS, or virtualized private servers. Virtualization features in LXLabs’ HyperVM helped Vaserv provide the service, which costs a fraction of the price of dedicated server hosting.
It remains unclear how other webhosts using the HyperVM have been affected.
Update: On Monday, the boss of LxLabs was found dead in a suspected suicide. Reports of the death of K T Ligesh, 32, come in the wake of the exploitation of a critical vulnerability in HyperVM. The effect of his death on the development of updated software by LxLabs is unknown at time of writing.
Ligesh was found hanged in his Bangalore house on Monday morning, after a late night drinking session. The Times of India reports that he was upset with the loss of a recent contract. Ligesh was also still coming to terms with the suicides by hanging of his sister and mother five years ago.
Security researchers at Milw0rm warn that the Kloxo (formerly Lxadmin) web hosting platform from LxLabs contains 24 security vulnerabilities and exploits. The flaws include SQL injection vulnerabilities and flaws that create a way for hackers to gain file access to files hosted on a vulnerable system.
The vulnerabilities are confirmed to affect Klaxo version 5.75, though other versions may also be affected. Milw0rm went public with an alert on the vulnerability last Thursday after failing to hear back from LxLabs in what it considered to be a timely manner.
LxLabs recently said that more than 30,000 virtualized private servers (vpses) were managed by HyperVM, and more than 8,000 servers running Kloxo. The largest single installation of hyperVM centrally manages more than 4000 VPSes.
Virtualization features of HyperVM allow hosting firms such as VAserv to provide low-cost web hosting at a fraction of the price of dedicated server hosting.
Credit: The Register