Cyber Incident Victim: Ministero dell'Economia e delle Finanze

On or around June 27, 2023, an anonymous user reported a defacement of the website for the Staff Pension Fund of the Italian Ministry of Economy and Finance. The website, located at https://www.fondoprevidenzafinanze.it/, had its homepage replaced with content advertising an online gaming betting service. This defacement was observed and documented at 3:09 PM on that date. The alteration of the visible content of the web application constituted an unauthorized modification by an external actor. The nature of the defacement, promoting a commercial gambling service, differed from typical hacktivist activities, which are generally motivated by political or social messages, suggesting the primary motive may have been a large-scale advertising campaign.

The defacement was not a transient event and had persisted for a sufficient duration to be indexed by Google's automated bots. This indexing resulted in the search engine replacing the site's original search engine optimization description with the new content from the altered homepage. The subpages of the website remained accessible and clickable, but the main entry point was fully compromised. An analysis of the website's structure indicated the content management system (CMS) framework in use was Joomla. A specific file path, https://www.fondoprevidenzafinanze.it/administrator/manifests/files/joomla.xml, revealed the Joomla version dated back to April 2013, indicating the software had not been updated for approximately a decade prior to the incident.

The use of such an outdated software version presented a significant security risk, as it likely contained known and unpatched vulnerabilities. This lack of technological upkeep created conditions conducive to vulnerability layering, increasing the potential for malicious actors to exploit the site further. Beyond the defacement, the compromised system could have been used to plant malware or facilitate various types of electronic fraud. Furthermore, the website contained references to the processing of personnel cases, noting that 3,183 cases were settled in a session on May 31, 2023. This raised concerns that a targeted campaign might have allowed for the exfiltration of health data belonging to Ministry of Finance personnel and their family members, which could be leveraged for subsequent malicious campaigns or activities.

In response to the discovery, an attempt was made to notify the organization via its designated legal email mailbox, [email protected]. This notification effort, however, encountered a technical delivery failure due to a reception error on the pec.it email server, preventing the report from immediately reaching its intended recipients. By approximately 5:00 PM on June 27, 2023, the website began responding with its correct, original homepage. This restoration of service indicated that the defacement had been identified and rectified by the site's administrators, though the specific actions taken to contain and remediate the issue were not detailed in the public report. The timing of the restoration suggested the corrective action may have been prompted by external awareness of the issue, potentially from the attempted notification or from other sources. The incident was reported to have concluded with the website returning to its normal state, and an offer was extended to the organization to provide a statement or updates for publication.