Wadera hi Wadera!
Allow me to answer your concerns:
Sources of the Breach: Are there any suspected or confirmed sources of the breach? Understanding the origin is crucial for developing effective prevention strategies.
It would be extremely difficult to pinpoint the exact source in terms of country or threat actor, however our evidence suggests that this is a lone actor who managed to successfully brute force the SSH on the host VPS to gain access to the device.
Our VPS is segregated by design, with a least access principle in play, however we regrettably made a mistake which allowed password-based remote SSH to be available. In the rebuild of our entirely new VPS (which we now run off) this issue was resolved and we’re very much moving to a zero-trust model to lock this down further.
In short, the source of compromise was IN NO WAY related to Flarum or its source code, but was due to a misconfiguration of the host itself.
Flarum Engine Security: Given that Flarum engine has been cleared as the vulnerability point, could you provide insights into how the attackers might have accessed the host system? Is there a possibility that a developer's credentials were compromised, or are we looking at an internal job by an untrusted developer?
As above, the source was due to a successful brute force of a misconfigured SSH allowing remote password-based authentication.
In terms of mitigations, we no longer allow SSH authentication by password (relying on strong encryption keys instead) whilst also layering on;
- IP bans on unsuccessful authentication
- Firewall checking of all events
- System event logging to a remote server to allow for SIEM based monitoring
- (in progress) migration to ZTNA to enforce SSH teaffic through Cloudflare, which will be logged, audited and restricted by key operational managers within the Flarum team.
Confidence in Flarum's Security: If the exact source of the breach is still unknown, how can we be confident that the Flarum source code remains secure? Clarification on this would be immensely helpful.
We understand that security events of any nature are inherently disheartening and a great cause for concern, rest assured that the Flarum team remain highly committed to our security standing as evidenced by our use of crowdsourced bug bounties, as well as a planned security audit for our code base as we move to 2.0 and beyond.
This was already in place, but is now better scoped (and we will be planning repeated security audits going forwards).