Nervous Posted March 9, 2020 Share Posted March 9, 2020 (edited) Hi, As usual when it comes to your security, I'll be writing a new thread explaining in full transparency of what happened today. Some of you have noticed, we had an incident during the night regarding the forum as it as unavailable, same for facebrowser. Waking up at 8am with the notifications on the phone, I quickly checked the forum and discovered that the database couldn't write its log in a specific file anymore, I thought there was a lock issue and deleted the file, which allowed the database to restart and I left for work. Deleting the file also free'd some space on the hard drive, enough for the server to work properly until 3pm paris time. At this time, the forum and facebrowser went down again. This time I logged in again on the server and noticed that logging partition was actually full. Which was super weird since it's quite big and it would require very big files written recently. I exported today's logs and decided to keep the analysis for later, space was free'd and everything was back normal. Fast forward few hours later, where once I'm home I notice that emails UCP application review system is broken due to the email not being sent to the users once accepted / denied. I notice that more than 2,000 mails were sent today which is suspiciously high, and that's where I started to finally make all the links in my head : our forum had a vulnerability allowing someone to massively send emails through it. I decide to login on the GSuite and discover thousands of Russian targeted phishing emails sent through [email protected] domain. The vulnerability on the forum was definitely confirmed. I went on the forum with the help of the web developpers and started looking everywhere at every potential way to send an email, until we found "Social sharing mail plugin" at the bottom of the threads, which would allow anyone to share a thread using our server mail, as soon as they were registered on the forum and without filling the "CAPTCHA" form that is here on every forms of this forum, which is the main vulnerability problem. The feature was immediately disabled, and I started investigating who abused it. The abuser account was https://forum.gta.world/en/index.php?/profile/34397-tht/ who registered today and used all the following IP addresses : His email "[email protected]" was used for registration, and I immediately reported the various phishing links. One is now terminated : The domain name is registered through "namesilo", where an abuse form was also filled : In the end, the scam attempt was to make you enter your credit card by making you think you would win some money over data loss lawsuits : I've shared the IP adresses to CERT-EU colleagues for a better monitoring of this spamming group as it seems to be quite unknown at the moment. To sum it up : A vulnerability in the social sharing mail plugin was found, as it did not force a "CAPTCHA" despite the CAPTCHA setting being enabled on the entire mail forms The mail spam led to our log partition on the server being full of 20gb of useless logs, leading to forum & facebrowser downtime since the logs couldn't be written anymore and thus it crashed the applications The attacker was able to send thousands of spam emails using [email protected] to random russian emails None of the players of GTA WORLD has been targeted in this spam, so you do not need to worry about receiving a phishing email with what I described here None of your data was accessed, as the attacker was just able to send mails with our name basicly and didn't target this community Registration emails will be down for few more hours, since our current GSuite plan limit has been reached (it refreshes every 24 hours) Edited March 9, 2020 by Nervous 5 2 Link to comment
A_Acko Posted March 10, 2020 Share Posted March 10, 2020 SPF Records for mx https://support.google.com/a/answer/33786?hl=en#multiple DNSSEC https://support.google.com/domains/answer/6387342?hl=en Link to comment
Nervous Posted March 10, 2020 Author Share Posted March 10, 2020 1 hour ago, A_Acko said: SPF Records for mx https://support.google.com/a/answer/33786?hl=en#multiple DNSSEC https://support.google.com/domains/answer/6387342?hl=en If you read my message, it's not a case of DNS spoofing here ? Link to comment
A_Acko Posted March 10, 2020 Share Posted March 10, 2020 (edited) 1 hour ago, Nervous said: If you read my message, it's not a case of DNS spoofing here ? no tool or plugin should have permission to send from the domain the two things that are linked are basic security measures for mx records that are recommended to be enabled either way Edited March 10, 2020 by A_Acko Link to comment
Nervous Posted March 10, 2020 Author Share Posted March 10, 2020 (edited) 6 hours ago, A_Acko said: no tool or plugin should have permission to send from the domain the two things that are linked are basic security measures for mx records that are recommended to be enabled either way I think you don't understand what you're linking, but okay. I just explained it was an IPBoard vulnerability to let an open plugin authorizing a tool to send through our domain (since IPboard has a direct access to the account in our forum config), there is 0 spoofing or MX records problem man. Anyway, I'll lock this to avoid having people sending more bad information. And no, DNSSEC is not recommended to be enabled unless you have a real need for it because it has major impacts. It can be dangerous to spread things like this. Edited March 10, 2020 by Nervous 1 1 Link to comment
Recommended Posts