Last week was an eventful week of cybersecurity-related events and news, starting with the fallout from the WannaCry ransomware attack on May 12. The global attack spread very quickly to more than 150 countries, and hit critical infrastructure in industries ranging from healthcare and rail to telephone and some power utilities. Midweek, we speculated and other groups suggested that the WannaCry attack may have been the work of North Korea, specifically the Lazarus Group, as a proverbial cyber-shot across the bow. A Forbes article subsequently detailed the first-ever ransomware infection of a medical device in a U.S. hospital – a Bayer Medrad device used to assist with MRI scans – that apparently represented a secondary infection from the initial WannaCry attack.
The week ended with another unwelcome surprise: the discovery that Congressman Devin Nunes (R-CA), chairman of the House Permanent Select Committee on Intelligence, had a live campaign website compromised with Russian SEO spam. The issue was quickly fixed later that day after we alerted Rep. Nunes's office.
These worrisome events underscore what's beginning to sound like a broken record in cybersecurity circles: we remain far too vulnerable to cyber attacks and dis-information warfare at all levels of government. As NSA director and U.S. Cyber Command head Adm. Michael Rogers recently said at a Senate Armed Services Committee hearing, "We are not prepared to counter info operations."
These events also come at a time when Congress should be developing a comprehensive strategy to counter the cyber and dis-information warfare capabilities of hostile nations like Russia and North Korea. In a separate congressional hearing, former Director of National Intelligence James Clapper said, "I don't think we as a nation do a good enough job [at combating information warfare]".
Congressional leadership hasn't provided much reason for optimism either. Polarization in Congress, for instance, has hampered the investigation of Russia’s clear meddling in and campaign to undermine confidence in the 2016 U.S. Presidential Election and more controversial suggestions of inappropriate contact or coordination between Russian officials and the Trump campaign.
One such investigation was launched by the House Intelligence Committee and initially headed by Rep. Nunes. Since January, the inquiry has been beset by a series of missteps, canceled hearings and controversies. One of the biggest was the April 6 decision by Rep. Nunes to recuse himself from the investigation after the House Ethics Committee announced its own investigation of potential coordination between Rep. Nunes and the White House and "allegations that he may have disclosed classified information to the White House." Representative Mike Conaway (R-TX) has now assumed control of the House investigation.
To add to the confusion, poor optics, and general distrust by the American public, we and others revealed on Friday that Rep. Nunes himself was the victim of a cyber-hack. Late Thursday, May 18, a Twitter user by the handle @3L3V3NTH posed this question: Why were some internal pages in the campaign website Devinnunes.net indexed by Google and entirely in Russian?
We saw the tweet Friday morning and immediately suspected injected SEO malware. We have seen similar injected SEO spam in different languages on other websites that we later determined had been hacked. Some have been from new clients requesting our help, while we found other instances of the SEO spam when we conducted Google searches and then promptly alerted the website owners. Many times, SEO spam and its associated malware can go unnoticed for months because it occurs on internal auto-generated pages that a site’s owner would not know about or even how to look for.
An easy way to find these injected SEO spam pages is to isolate a Google search to find only pages indexed within a particular domain. The following Google search: "site:devinnunes.net" revealed at least 11 internal pages that were all XML pages residing in the /images/userfiles/ folder (see image below). All appeared to have Russian sentences and keywords in the titles, meta tags and body content of the pages.
To investigate further, we used a public website-checking tool created by the online security company Sucuri.net for finding certain simple forms of malware and possible code vulnerabilities. Based on this straightforward approach, we found multiple, fairly clear vulnerabilities existing in the live Devinnunes.net website.
Our check also revealed the presence of an outdated installation of WordPress (4.5.2) that had been moved to a /temp/ directory but was still public facing and fully accessible on the Internet. Here's why this is so problematic: moving an outdated installation of WordPress to another public directory such as a temp folder does not change or reduce its security risk. These directories are standard places for hackers and pentesters (ethical hackers) to look for old installations; finding internal directories via automated hacker bots is a fairly simple process. The public Sucuri malware checker automatically does this as well and found the vulnerable installation within seconds. This outdated WordPress install was also using a number of outdated plugins that had not been patched for their recent security vulnerabilities.
We immediately took steps to document what we had found and alerted Congressman Nunes's office of our findings just before 12:00 CST on Friday, May 19. We did not receive any response: however, the XML files were removed and the outdated WordPress install was taken down by about 4:00 pm CST on Friday, effectively correcting the issues.
We have done additional investigations into this hack and are documenting some of our general findings here. After analyzing about 20 other websites with nearly identical injected Russian SEO spam we are able to make some general statements about the how, the when, the what and speculate a little on the why.
First, it's clear to us that the Devinnunes.net website was hacked at some point in the past (more on this later). We found multiple, unpatched well-documented vulnerabilities and additional ones that could have been present in the past. By looking at archived copies of the Devinnunes.net website using the Internet's Wayback Machine, we can see that some of the vulnerabilities have existed for just over a year.
As of last week they remained publicly exposed with an insecure and vulnerable installation of WordPress (4.5.2). The current, most secure version of this branch of WordPress is 4.5.9, which includes seven additional security patches, and properly addresses a host of security vulnerabilities. Most average hackers could easily exploit many of these well-known and well-documented vulnerabilities. The outdated WordPress installation also used a number of outdated WordPress plugins that contained known security vulnerabilities, and were accessible from the Internet. The "MailPoet" plugin below, for example, is well known for its serious security vulnerabilities.
/plugins/wysija-newsletters/ (2.7.2 version found -> safe is 2.7.3)
Note that this is a well-known vulnerability and that versions 2.6.8 and prior were vulnerable to an unauthenticated file upload. Version 2.7.2 suffers from an SQL injection vulnerability that is also very serious.
These two additional plugins also contain known vulnerabilities:
/plugins/woocommerce/ (2.5.5 version found -> safe is 2.6.9)
/plugins/LayerSlider/ (5.4.0 version found -> safe is 6.2)
Interestingly, the Devinnunes.net website was also using the Revolution Slider plugin, which brought down the Panamanian law firm Mossack Fonseca back in early April of 2016. At the time, it was the largest data leak ever. The Devinnunes.net is currently using an up-to-date and secure version of Revolution Slider. But that doesn’t mean it was always properly secured in the past.
Based on our analysis into the other similarly hacked websites, it is clear a backdoor of some kind was installed on the Devinnunes.net. The backdoor would have full read, write and execute permissions and would have been used to install the spammy XML files in the /images/userfiles/ directory. We believe that we have identified the precise backdoor used by the hackers and the authors of this PHP based webshell / backdoor script. We will include this and other more technical details in a future report.
One important caveat: without having the ability to look at and analyze the files on the Devinnunes.net webserver, we can't be completely certain of the precise backdoor used. We also have no way of knowing whether there was or still is more than one backdoor installed on the site. From our past experience remediating hacked websites, we have commonly seen multiple infections from completely different hacker groups all installing their own backdoor of choice. The IT staff for Devinnunes.net would be able to verify this and whether other backdoors were found. Keep in mind that some webshell backdoors have a "suicide" feature, which allows the webshell to delete itself from the server when no longer needed.
The backdoor webshell we found appears to have been created in August of 2016. Of the 20 similarly infected sites we have studied the oldest cached page we could find in Google was from February 2017, while the vast majority were from March and April of 2017. We should also note that it can take SEO spam infections several months to show up in the Google search results. So we know this specific injection of Russian SEO spam in the Devinnunes.net website likely occurred at least a few months ago and could have happened as far back as the fall of 2016.
As we mentioned above we also can't exclude the possibility that the Devinnunes.net website wasn't hacked in the past, prior to this year. Once a hacker has breached a site they will install a backdoor allowing them future full access to the website and many times they will wait many months before executing their final objective.
The link below was captured in a Google cache of another similarly infected site and it clearly shows the specifically crafted weblink that includes the webshell used to upload one of these XML files.
This is Google's cache of http://www.autoringen.no/daily_news_images/281_newshell.php?filesrc=/home/auksjon/www/rebrand/uploadimage/grozniy-moskva-samolet-tsena-bileta-81662.xml&path=/home/auksjon/www/rebrand/uploadimage/
It is a snapshot of the page as it appeared on Apr 23, 2017 07:16:51 GMT.
In this example the webshell (backdoor) was named "281_newshell.php" but these files can really have any name the hacker chooses. We've seen other file names like "linkk.php" and "g.php".
So why did this happen? As we mentioned above a typical feature of injected SEO spam is the use of JavasScript redirects. This is usually done because most search bots like Google don't always follow JavasScript redirects whereas a human user will. There are some perceived SEO-based technical advantages for doing something like this (too much to get into here), but the bottom line is that these JavasScript redirects will be embedded somewhere in the code of the auto-generated spam pages. It was no different with this attack and in all of the sites we looked at, we found three root domain names that were common to all of them and were responsible for creating the location where the user would ultimately be redirected.
All of the XML files contained these two lines of code where "xx" in line two was replaced with any two alphanumeric characters. Line one could have many different unique subdomains but the root domain was always one of the three listed above.
<base href="http://<subdomain>.(js-cloudbox|tdskakts|traffka-mix).com/" />
All three of these domains have different nameservers, different creation dates, and different registrant information. The "traffka-mix.com" domain, for example, was first registered in February of 2017.
The why is the most difficult question to answer. The simplest explanation is that the Devinnunes.net website, was caught up in an automated drive-by hacking. It contained a number of common vulnerabilities that we see used in automated hacker tools. Injected SEO spam is generally done for financial gain. It is also one of the easier infections to detect so the shelf life for this type of hack is generally fairly short. (We'll share more about this aspect and details on the webshell in a future post).
Because Rep. Nunes is chairman of the House Intelligence committee, he would be considered a high-value target. Many times, hackers sell or even lease their backdoor access to other hackers or state-sponsored actors. Once a hacker is able to infect a trusted source like an individual's website, hackers can get creative. They can engage in spearphishing or catphishing, gather sensitive information, or create specific links on the website that prompt its user to accidentally download malware or ransomware onto his or her own personal computer (watering hole attacks).
Only Rep. Nunes’s office can say how severe this security breach was. The hacking, however, underscores the critical importance of good website hygiene for both private individuals hoping to safeguard their data and for public officials entrusted with safeguarding national security.