New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Nezha monitoring tool were weaponized by Chinese hackers in a new attack wave
vastness4594
Member
in News
Some LET members, me included, use nezha as their servers monitoring tool. Recently, there was an attack to exploit bug in the tool to distribute malware. This attack seems to target windows servers, not sure if it's also used to attack linux servers or not. The blog post doesn't give more information about whether this exploit has been patched either 
Maybe it's best that we stop all the agents for now and wait for more information.
What are you using to monitor your chickens?
Source: https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool
Comments
@zGato important news don't miss
I've been using Komari lately and it's been great.
You might want to give it a try.
https://github.com/komari-monitor/komari
it's over
Let's just pray that it's not used to attack linux servers
Beszel
@zGato still important news don't miss
There is no difference, any open source project with remote manipulation features can be used maliciously, even the rustdesk project. (rustdesk has been used illegally by so many scamming criminals that a warning label had to be added to the description).
This is different. This was an attack to exploit the tool which is normally used to monitor servers to distribute malware.
It is very dangerous to have a built-in default account with high privileges.
Users should be required to set a complex password during installation.
https://www.peeringdb.com/ix/4316
@gugumnt
I believe this friend is also a member of let, just using a different username.
After reading the blog, it seems that hackers exploited a vulnerability in phpMyAdmin to gain access and then used Nezha to manage all the compromised machines
Yeah it seems like the nezha tool itself is not the target here, you need to gain access first via the vulnerable outdated phpMyAdmin, and then use nezha to distribute malware. If you only have nezha running and nothing else there is nothing to attack?
Windows, phpAdmin, some stuff make-shifted , uhm, programmed by some crowd of foss devs in, from what I see, a typical web-"developer" style (in Go) + careless users ... and then some company trying to (a) make themselves look like smart sleuths, and (b) politicize the whole clusterfuck in the linked blog post.
Sorry but the victims had it coming, in fact they almost begged for it.
I generally avoid any Chinese tools, monitoring or not. Also I'm wary of random github projects that can be knowingly or unknowingly (security issues) hijacked in the future. This especially applies for management panels and monitoring tools with self-updating agents (some of them require root privilege for some features). So far I use Beszel but for important servers with production stuff or important personal services I rather trust Hetrixtools.
Thanks for the suggestion. I think I'll switch to Beszel as well. I only have a few servers, super easy to make the switch unlike @zGato
Yes, before reading the blog, I thought Nezha had a vulnerability. After reading it, I realized that it wasn't Nezha that had a vulnerability, but rather that phpMyAdmin should be phased out as soon as possible
I was using komari and had webssh disabled for agents. It's scary that if you used the default command to install komari-agent you can actually run linux commands from the komari server! I'm not sure whether you can even run as remote-ssh
rm -rf /from the server to agentsBut now I removed komari and its agents as well to be safe.
How’s your reading ability? Nezha monitoring was used to monitor threat actor C2 servers. The main problem was with pma and log poisoning. Holy moly, use AI to do text summary if have no patience to read article. And article it-self is skimmed milk, just advertisement of “security services”.
Give me back my 5 minutes
If you need more clickbait title you should use the company name where C2 server was hosted, duh.
or not as it will be deleted :-D
people will do anything to not have to setup grafana
Anything for $200
@zGato I know you already got tagged but I wanted to do this too.
Please stop bullying my gato
🫂
Windows the fuck, on LET? maybe Nodeseek.
I use HetrixTools, it's nice.
Never heard of them. are they good?