Cyber Incident Victim: Brazilian state government website
Date:
Apr 2023
Location:
Brazil
Summary
A Brazilian state government website was compromised as part of a widespread spam campaign targeting websites using MediaWiki and TWiki platforms. The site was hacked to host fraudulent pages promoting fake Fortnite gift card offers and cheats, which attempted to phish for user credentials. This incident was part of a larger operation that also affected numerous U.S. university websites and a European Union job portal service.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 20, 2023, a malicious spam campaign was identified targeting the wiki and documentation pages of numerous prominent United States universities. The compromised institutions included Stanford University, the Massachusetts Institute of Technology (MIT), the University of California, Berkeley, the University of Massachusetts Amherst, Northeastern University, and the California Institute of Technology (Caltech). The campaign was first brought to public attention by a Twitter user identified as g0njxa, who observed over a dozen compromised university subdomains serving spam content. Security researchers confirmed the campaign was active and had also affected the website of the University of Michigan, among other scholastic institutions.
The affected websites were running either the TWiki or MediaWiki content management system platforms. MediaWiki is the same open-source software that powers Wikipedia and other Wikimedia Foundation websites. The attackers exploited these systems to upload spam pages directly onto the universities' web servers. The primary content of these unauthorized pages was designed to lure visitors with promises of free gift cards, virtual currency for the popular game Fortnite known as 'Fortnite Bucks,' and game cheats. These lures were intended to drive traffic to external, bogus websites.
The external domains linked from the compromised wiki pages loaded counterfeit Fortnite-themed sites. These sites were effectively phishing forms that prompted unsuspecting users to enter their account credentials, risking the theft of their login information. In other observed instances, the spam pages promised users gift cards in exchange for completing fraudulent surveys, which are a common tactic for generating illicit revenue or harvesting personal information.
While the primary focus of the campaign was on U.S. educational institutions, the same threat actors also targeted government websites, indicating a broader scope. This included a mini-site hosted by a Brazilian state government, specifically the website semed.capital.ms.gov.br. Additionally, the European Union's official Europa.eu domain was impacted. In the case of Europa.eu, the spammers abused the Europass e-Portfolio service. This service is a job search portal that allows individuals to create, upload, and store their CVs and cover letters as PDF documents. The attackers leveraged this functionality to upload spam PDF documents containing similar fraudulent offers.
The exact method of compromise remained unclear at the time of reporting. Threat actors were successfully uploading spam pages and PDF documents to the web servers of these legitimate organizations, but the specific vulnerability or exploit being leveraged was not identified. MediaWiki had released security updates the previous month, in March 2023, addressing multiple vulnerabilities in the platform. However, an initial assessment indicated that none of the patched vulnerabilities appeared to be directly relevant to the ongoing malicious campaign, leaving the initial attack vector undetermined.
The impact of the incident was multifaceted, affecting the integrity and security of the targeted websites. The unauthorized defacement of university and government web properties damaged their credibility and posed a risk to their visitors. The primary consequence was the potential for credential theft and financial scams targeting individuals who interacted with the malicious content. Users who entered their information on the phishing sites risked having their Fortnite accounts or other personal accounts compromised. Those participating in the fake surveys risked having their personal data harvested for spam or other malicious purposes.
In response to the discovery, security researchers and analysts began investigating the cause of the widespread compromise. Organizations responsible for maintaining the affected wiki platforms, namely the MediaWiki and TWiki communities, were implicitly urged to review their systems. System administrators for websites using these platforms were advised to sweep their installations for any spam or malicious content. This cleanup process involved searching for and removing resources containing keywords associated with the campaign, such as 'gift card,' 'Fortnite,' and similar terms. As a protective measure for the public, users were advised to refrain from clicking on suspicious links found on any compromised wiki pages. The investigation into the root cause of the incident was ongoing as of the initial report.