Navigation

    TripleA Logo

    TripleA Forum
    • Register
    • Login
    • Search
    • TripleA Website
    • Categories
    • Recent
    • Popular
    • Users
    • Groups
    • Tags

    Security Breach Oct-17-2020

    News
    1
    1
    513
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LaFayette
      LaFayette Admin last edited by LaFayette

      Incident

      On Oct 17, 2020, around 07:00 GMT we became aware of a person that gained access to an admin account. We are not certain of how they gained access. With the hijacked account that person changed the frontpage of the forum.

      In response to this we restored the forum from a recent backup and changed the password of the compromised account. Several hours later the account was again compromised and this time the attacker began making malicious edits to category titles and malicious posts.

      We again restored the forum from backup and again changed the password of the admin account and removed admin privileges from that account.

      The admin account is a default account created with the 'nodebb' (that runs this forum) and we had left it enabled with a relatively secure password.

      Impact

      While the attacker had access to the "admin" account they had access and could download the list of all usernames and emails.

      Passwords were not exposed and are stored encrypted.

      It's a guess that the main goal of this attack was largely site defacement. The attacker seems to have a collection of defaced sites and was running up their score.

      Analysis

      We were on version 13 of nodebb which had an open security advisory that could allow for account takeover. We do not know the exact method used for account takeover, exploiting that security advisory seems to have been the most likely attack vector used.

      Corrective Action

      • We have upgraded the forum software to 14.3 picking up a number of security patches, notably picking up a patch for the security advisory mentioned above.

      • We now require all admin accounts to use MFA (multi-factor-authentication). This new requirements means if a password is compromised, an attacker would still not be able to log in to that account without the MFA device.

      • We have increased password complexity requirements from 6 characters to 8 and now require passwords to not be "easily guessable".

      • We have deleted the unnecessary 'admin' account that had been compromised.

      Lessons Learned and Future Investments

      We will continue investing in the security of the forum to improve intrusion detection, security vulnerability notification, improve logging (so we can better investigate breaches), and facilitate deployments so that we can increase the deployment frequency and keep the forum software much closer to the latest version available.

      1 Reply Last reply Reply Quote 8
      • 1 / 1
      • First post
        Last post
      Copyright © 2016-2018 TripleA-Devs | Powered by NodeBB Forums