[BreachExchange] Compromised CMS Credentials Likely Used to Hack Trump Campaign Website

Thu Oct 29 10:37:38 EDT 2020

https://www.securityweek.com/compromised-cms-credentials-likely-used-hack-trump-campaign-website

Security researchers believe that compromised credentials were used by
hackers to access the content management system behind Donald Trump’s
campaign website.

On Tuesday, hackers managed to break into the website and change
content on it. For a short period of time, the message “This site was
seized” was displayed on donaldjtrump.com.

The incident has been confirmed by Trump campaign spokesman Tim
Murtaugh, who also revealed that law enforcement had been called in to
investigate. He also said that no sensitive information had been
compromised.

In the message posted on the website, the hackers claimed they managed
to compromise sensitive information on President Trump. They also
included two cryptocurrency wallet IDs, saying they would release the
information if visitors sent money to them.

The message also contained a Pretty Good Privacy (PGP) public key,
which can be used to verify future messages supposedly coming from the
hackers.

According to WordPress security solutions provider Defiant, which
develops the Wordfence product, the hackers most likely used
compromised credentials for access, supposedly targeting the
underlying Expression Engine content management system (CMS), which is
an alternative to WordPress.

While the site content was quickly restored, the “Privacy Policy” and
“Terms & Conditions” pages were still delivering a “404 page not
found” error hours after the incident was resolved.

“This indicates that something changed on the content management
system itself, rather than on the Cloudflare configuration. So we
believe that the CMS being compromised is therefore a higher
probability than Cloudflare being compromised,” Defiant notes.

The site uses Cloudflare as a content delivery network (CDN), and
Defiant says that this could have been used as a point of access only
if the attackers knew the IP of the server hosting the site, which is
hidden. Thus, this attack vector is less likely to have been used.

If the attackers had access to the campaign’s Cloudflare account and
were able to point the domain to their own IP address, the entire
website would have been restored by simply pointing it to the right IP
address.

However, the issues with the “Privacy Policy” and the “Terms &
Conditions” pages suggest this was not the attack vector.

Of even lower probability would be the use of compromised credentials
to access the account where the domain donaldjtrump.com was
registered; a possible access via FTP or SSH (would require not only
FTP or SSH credentials, but also knowledge of the site’s origin IP
address); or the use of a zero-day flaw in Expression Engine, which
has had few known vulnerabilities, Defiant says.

“Almost every possible scenario includes reused credentials being
exploited to gain access to the donaldjtrump.com site. In almost every
case, having 2-Factor Authentication enabled would have prevented such
a scenario from occurring. It’s also a reminder that it is important
to enable 2-Factor Authentication not only on your website’s
administrative panel, but on every service that offers it, including
services you might not think of as being vulnerable,” Defiant
concludes.

The attack comes shortly after a Dutch security researcher claimed
that he gained access to Donald Trump’s Twitter account by guessing
its password, which he said was “maga2020!”. The White House and
Twitter have denied the claims and the researcher has yet to provide
any definitive proof.