Flarum.org Security Breach - What it means for you

tankerkiller125

Dear Flarumites,

It is with a sad and heavy heart that we announce today that Flarum.org was the subject of a cyber attack which resulted in the breach of one of our servers. Inline with our ethos of total transparency, we wanted to give you all the full details of what we know and what actions have been taken.

I’m concerned! What do I need to do?!

We understand that security breaches are a concerning thing. We absolutely appreciate that our users expect, and deserve, better. We promise that we will endeavour to secure our systems and that’s why we’re bringing together our own internal resources with continuous security reviews from external parties as part of our vision for Flarum 2.0 and beyond.

If you are concerned about the impact of this breach, and what it means for you then we recommend:

Reset your password on any other providers that you may have re-used it on. (We also strongly advise not to re-use passwords.)
Where possible, enable Multifactor Authentication, or MFA.

And for those that want our detailed analysis, please see below:

What actually happened?

On the 3rd October, 2023 @luceos noted a number of files on our server which are not part of our deployment for Flarum, and immediately notified the ops team (Namely, myself and @katos) through our relevant Discord channel to launch an investigation.

Over the next few days we immediately took action to limit the impact of any breach and to pull files for auditing and forensic analysis. IT was identified that a total of 12 files were uploaded into the /public/ directory of flarum.org

At the same time, we also identified an old backup of Discuss’ database had not been cleared down from the server, this backup dated back to December 2021.

The decision was taken to copy files off of the server for analysis, and to run a git-clean and redeploy in order to obliterate any malicious files from our servers (as we use a CI/CD pipeline, this action was quick and easy).

Out of a further abundance of caution, we also took the decision to fully remove ALL SSH keys from the server and to re-generate a key for Luceos who would (for now) be the sole manager of the server whilst investigations were ongoing.

On Friday 06/10/2023 (three days later), we were able to confirm that:

Of the files uploaded, we are confident that unfortunately a webshell was uploaded which allowed the attackers to upload further scripts and expand their arsenal against the server.
We identified an email spam script (leveraging PHP’s “LeafMailer” library) which was used to send spam mail from our server.
We identified a php shell script allowing file management on the server. We have NO REASON to believe that files served from the server were edited, as all files retained their original content, however we are unable to verify if data was exfiltrated from the server.
We also identified a number of HTML files which contained malicious URL redirects designed to steal credentials - We cannot see evidence of these being used, and suspect that they may have been part of a wider email campaign for phishing / credential hijacking.
Whilst we do not wish to spread malicious code, we can also confirm that we identified three sources of malicious code that was used in this attack. All three instances of this came from old shell scripts found online in Github gists.
Of the malicious files, all except two triggered detections through Virus Total or Yara.

With the evidence in our logs, and with the files that we have identified (and their subsequent analysis), whilst we cannot confirm this; we are confident that with the PHP mail script and the html files with phishing sites, the intention of the compromise was to use our systems to establish a ground for spamming phishing links to other users. We do not believe that Flarum or it’s users were the endgame of the attack.

This leads us nicely to what we did….

What we did to rectify the issue

As already detailed above, we immediately set up a task force of individuals at Flarum who were responsible for owning the challenge of identifying the breach, and seeing through the remediation and recovery.

Below is a breakdown of what we did:

Took a copy of the suspect files that we identified on the server.
Immediately reviewed (and validated) access logs for SSH.
Ran a git clean to restore the site to a state of as-deployed-from-CI/CD
Investigated file contents and ran analysis of contents to identify the scope of breach.
As we learned that the shell ran as our web user, and had potential access to the SQL backup file, we took the decision to rebuild our server from scratch. This went as follows:
An ENTIRELY NEW server was created (copying NO files from the previous).

Server was configured for:

Ubuntu latest LTS version.
No root access allowed.
Cloudflare Zero-Trust SSH tunnel access only.
Laravel Forge login.
Dedicated AV scanner in place.
Crowdsec security installed to monitor activity on the box.
A review was taken and we decided that:
Access to the server should be restricted to Devops/Devsec only.
All access will have to pass through Cloudflare ZTNA.
A review of the code would be made to ensure that we are running up-to-date libraries and functions where possible.
A review of our PHP functions would be taken to ensure that any redundant/obsolete or excessive functions would be removed.
We would more regularly re-deploy our server through our CI/CD stack to ensure that only those files which we allow through our repository exist on the server.
We also took the decision to step up our security efforts by creating a dedicated security team, both for our code (already in place) but also for our infrastructure, where this was not previously clearly defined.
We then, naturally, informed you guys. As part of this:
We are advising that ALL USERS reset their password (we're forcing it). This is due to the database having been available on the server, whilst we encrypt ALL of our passwords with a strong hash, we did not wish to risk any potential further impact to our users.
We developed a framework for transparent communications of any issues going forwards.

No compromise of a system is ever easy, and we very much know that we have learned lessons the hard way.

What we learnt?

We unfortunately identified a number of shortfalls in our processes, and we know that you absolutely deserve better. That’s why we’re announcing our difficult lessons learned.

We will be conducting regular security reviews of our full stack, from code to infrastructure to ensure that we maintain secure access at all times.
We will be regularly reviewing all configurations and ensuring that we keep up-to-date with the latest best practises for security and development.
Starting from today, we already have forced a reset of all user passwords to ensure that we do not risk user compromise.

What we are doing to fix this going forwards

As outlined, we will be moving our stack to a new server which has security at it’s forefront. All access will now be governed through a ZTNA pipeline provided by Cloudflare, and access will be restricted to these tunnels. This significantly reduces the attack surface and ensures that all access is explicitly defined.

We will also be more granularly segregating our web stack to reduce the attack surface between our offerings - From flarum.org, Discuss.flarum.org and Next.flarum.org.

Alongside this, we are also working to introduce a new Cyber Security Team internally who will be responsible for the maintenance and security of the systems and will handle any updates, deployments and changes to our infrastructure from here. This will ensure that our systems are vetted prior to any changes and that our stack is regularly assessed for threats.

We will also be deploying next generation EDR to not only detect, but automatically alert and remediate on threats as they are discovered on our systems.

We will also be drafting, and distributing, dedicated cyber playbooks for should an incident such as this happen again. The unfortunate incident that we have dealt with in this instance highlighted a need for a process to follow and as such we lost valuable time and information which may have assisted with remediation and recovery as well as transparent reporting.

If you have any further questions or concerns, we meant what we said about transparency. Please do reach out to us below or by DM and we will be happy to answer what we can.

We thank you for your continued support and patience, and we look forward to continuing to serve the greatest forum content.

`- The Flarum Staff Team.

GreXXL

CyberGene see the reply from luceos about our conclusions so far. It's important to understand that the attack vector was our website (flarum.org) - not the discuss Forum. As there was an old DB backup on the server - as mentioned by tankerkiller125 we asked all users to change their password as a security measure.

hrvoje_hr

Appreciate you're this open about this. Is there any possibility that vulnerability came from the Flarum source code?

Also, about passwords. How complicated for someone malicious would be to rehash passwords from the database?

tankerkiller125

hrvoje_hr Also, about passwords. How complicated for someone malicious would be to rehash passwords from the database?

Hashcat has a built in BCrypt hashing, which means that it's actually incredibly simple to do, the hard part is the hardware requirements, and knowledge of how hashcat works.

For some context, as part of security where I work I (because I'm the only IT guy) download the password hashes of all of our employees, and then bruteforce those hashes use two methods.

The first method is a wordlist, basically I have a large list of previously breached passwords, combined with sports teams, city names, popular first and last names, etc. and hashcat uses that wordlist to combine words, and try every combination of replacing letters with numbers, etc.

Using this first method, the first time we did this, I was able to breach around 15% of passwords, and it took just under 8 hours on an i7 12th Gen Laptop processor.

The second method is straight up brute force, still using hashcat, in which I was able to break an additional 4% of passwords in just under a month. But importantly again, this on my work laptop, and it hadn't even finished with 9 character passwords.

If I had a GPU rig (like the ones they use for crypto mining) I could have broken A LOT more user passwords. A recent security conference I went to had a talk on this exact subject, and the speaker suggested that using about $800 worth of hardware you can crack every password shorter than 16 characters in just under a year.

I don't want to alarm anyone, far from it, however short, weak passwords are easily breakable when an attacker can directly attack the hash, without any form of rate limiting.

For that reason, you should either use a password manager to generate random, long (20+ character) passwords, or if you are going to remember the password, use a passphrase with multiple words (preferably rarer ones), numbers, symbols, lowercase, uppercase, and if you can, native characters (in other words, if you're keyboard can enter chinese characters, use them, not ASCII). Or if the website allows it, use a Passkey (hardware token) for sign in.

Password cracking becomes exponentially harder for every character added. So if you assume a standard keyboard layout, and we assume that 27 keys can't be used (like enter, F-Row, etc.) that leaves us with 74 * 2 (because shift key) or 148. So to crack a 1 character password it takes 148 guesses, for 2 character passwords it takes 148² guesses (21,904), etc.

luceos

hrvoje_hr Is there any possibility that vulnerability came from the Flarum source code?

No. We have no evidence to suggest that, in addition discuss isn't using any extensions that allow interaction with the filesystem or server. Not even fof upload is installed.

m4v3rick

tankerkiller125

Thanks for the insights. Would love to read more from you every now and then. Do you have a blog about these topics by chance?

DaleZ

The team is so responsible! Thank you a lot for hard-working!

tankerkiller125 if you're keyboard can enter chinese characters, use them, not ASCII

I never know the password can set to these😲

katos

CyberGene we can categorically say that this was NOT a result of a vulnerability in Flarum software itself. Please see luceos reply.

With regards to our conclusions, we strongly believe that the ingress occurred due to a misconfiguration allowing password-based authentication to a user on the VM. Once this user was accessed, the files were dropped and the machine classified as compromised.

We at Flarum do not take security lightly, which is why our immediate response was to pull the files for analysis by myself and @tankerkiller125 and to rebuild the VM (affectionately known as “Nuke from orbit” or “NFO”).

In the rebuild of our server, we then ensured that password authentication is denied and forced the use of SSH keys (newly generated).
Then we moved towards a zero trust model to ensure that traffic is forced through Cloudflare and dropped if it does not originate from this trusted source.

I hope that this makes sense but I’m happy to answer any further questions!

Wadera

luceos We have no evidence to suggest that

First, I want to express my sincere thanks for the comprehensive report on the recent security breach. Your transparency and dedication to safeguarding our forum are truly commendable.

I have a few technical questions that I couldn't find answers to in the report, and I'm hoping to gain some more insights:

Sources of the Breach: Are there any suspected or confirmed sources of the breach? Understanding the origin is crucial for developing effective prevention strategies.

Flarum Engine Security: Given that Flarum engine has been cleared as the vulnerability point, could you provide insights into how the attackers might have accessed the host system? Is there a possibility that a developer's credentials were compromised, or are we looking at an internal job by an untrusted developer?

Confidence in Flarum's Security: If the exact source of the breach is still unknown, how can we be confident that the Flarum source code remains secure? Clarification on this would be immensely helpful.

I believe having answers to these questions will not only help in reinforcing our forum's security but also assist in keeping the community informed and vigilant.

peopleinside

Thanks. Flarum allow an administrator to ask all user to reset passwords or you use a code, command a doc for just flarum,org?

GreXXL

peopleinside is an extension created for the specific use case. (https://extiverse.com/extension/sycho/flarum-force-password-reset)

peopleinside

GreXXL nice, this can be useful 🙂

tankerkiller125

m4v3rick I rarely if ever post, but I do have a blog over on https://kilgore.dev (note email is currently broken as hell on on it so the subscribe thing doesn't work)

tankerkiller125

m4v3rick If your intrested in a full length detailed view of how cracking passwords works (notably on Active Directory) I ended up publishing a full post on a new blog me and @katos ended up creating (because we both wanted to share more what we know in the IT space)

Ralkage

I came across the password reset page after not visiting the forum for a while, and I couldn't help but think, "Oh man, this can't be good!" 😅

I'm relieved that the team was able to further mitigate this attack and conduct a timely investigation, even though it stemmed from an unfortunate incident. It's disheartening how data and server breaches seem to be on the rise in recent years, and I'm somewhat skeptical about the long-term effectiveness of passwordless login initiatives, considering how easily the devices that support this security measure can become vulnerable themselves.

Nonetheless, thank you, team, for always being transparent about these sorts of incidents, as I feel it is critical to remain as such to effectively run a project at this scale.

Here's to the ongoing efforts of Flarum 2.0! Cheers! 🥂

katos

Ralkage Passwordless authentication is very much better. Certainly when compared to something like a username and password.

In an ideal world, authentication would be done using something like FIDO2, passing a device-bound token to the requester. This way even if the token was stolen and replayed, it doesn’t match the encrypted device hash.

I get the initial scepticism but with what companies like Microsoft are doing with the likes of token binding and CAE (continued access evaluation), we’re very much moving in the right direction!

CyberGene

Is there any conclusion about how this happened, is it a leaked password, SSH key, etc. or is it possible that the Flarum software itself might have a vulnerability that allowed the attackers to exploit it? Because the latter is much more worrying and could potentially affect all of us that use Flarum on our forums.

tankerkiller125

DaleZ A proper password field accepts any character you could possibly use or type, and hashes them. If/when you run into password inputs that restrict what you can type/use it means that they are probably storing your password in a bad, bad way.

DaleZ

tankerkiller125 Yep, lots of website in my country only support ASCII, so I even forget that.
Anyway, allow UTF-8 characters for password is much safer, thanks again. ❤️

Update: Though support, but can't input them directly, need paste into the field.

a-wild-tim-appears

Thanks for the honesty and the write-up 🙂