Cyber Incident Victim: University of California, Berkeley
Date:
Apr 2023
Location:
United States of America
Summary
The University of California Berkeley was among numerous U.S. universities whose wiki-based websites were compromised to host spam content. The hacked pages, running on platforms like MediaWiki and TWiki, were altered to display fraudulent offers for Fortnite currency and gift cards. These pages redirected users to phishing sites that attempted to harvest their credentials through fake surveys and login forms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 20, 2023, a malicious campaign was identified targeting university websites utilizing the MediaWiki and TWiki platforms. The campaign involved the compromise of these sites to serve spam content related to the online video game Fortnite and fraudulent gift card offers. Researchers observed that wiki and documentation pages hosted by multiple prominent U.S. universities were affected. The University of California Berkeley was among the confirmed institutions whose web infrastructure was compromised in this incident. Other universities impacted included Stanford, MIT, UMass Amherst, Northeastern, and Caltech. The threat intelligence community, including a Twitter user identified as g0njxa, initially brought attention to the campaign by identifying over a dozen compromised university sub-domains.
The attacker's method involved uploading spam pages to the compromised wiki sites. These pages were designed to lure visitors with promises of free digital artifacts, specifically 'Fortnite Bucks,' which is the in-game currency for Fortnite, and 'free gift cards.' The pages also promoted offers for game cheats. The primary goal of these fraudulent pages was to redirect users to bogus external websites. These external sites loaded counterfeit Fortnite pages that functioned as phishing forms, directly prompting users to enter their personal credentials. In other instances, the sites promised gift cards to users in exchange for completing surveys that were also fraudulent in nature.
The scope of the incident extended beyond the academic sector. While university websites running MediaWiki or TWiki were the primary targets, the same threat actors also compromised websites belonging to government entities. This included mini-sites operated by a Brazilian state government and, notably, the European Union's official Europa.eu domain. On the Europa.eu website, the spammers specifically abused the Europass e-Portfolio service. This service is a job search portal that allows individuals to create and upload their CVs and cover letters in PDF format. The attackers exploited this functionality to upload spam PDF documents alongside the malicious wiki pages, further distributing their fraudulent content.
The technical exploit or vulnerability used by the threat actors to gain unauthorized access and upload content to these various websites remained undetermined at the time of reporting. The investigation into the root cause was ongoing. MediaWiki, the content management system that powers Wikipedia, had released security updates the previous month to address multiple vulnerabilities. However, an initial assessment indicated that none of these patched vulnerabilities appeared to be directly relevant to the methods used in this particular campaign. This lack of a clear initial vector complicated the immediate response for system administrators.
The impact of the incident was multifaceted, affecting the targeted organizations and their users. For the universities, including UC Berkeley, the compromise led to a degradation of their web presence and a loss of integrity for their affected sub-domains. These resources, typically used for documentation and collaborative work, were repurposed to host malicious content, potentially damaging institutional reputation and trust. For end-users, the primary risk was exposure to phishing attempts and scams. Users who interacted with the links on the compromised wiki pages were directed to fraudulent sites designed to harvest their login credentials or trick them into completing surveys for non-existent rewards.
The response to the incident involved detection and containment efforts by the security community and the affected organizations. The initial detection was carried out by external security researchers and threat intelligence analysts who publicly disclosed their findings. Following this disclosure, organizations like BleepingComputer confirmed the malicious campaign was active and identified additional compromised sites, such as those belonging to the University of Michigan. The public disclosure served as a primary means of alerting system administrators at the targeted institutions, including those at UC Berkeley. The recommended response action for these administrators was to sweep their websites for any spam and malicious content. This involved conducting thorough reviews of their wiki installations, particularly searching for and removing resources that contained keywords associated with the campaign, such as 'gift card,' 'Fortnite,' and similar terms. A public advisory was also issued, warning users to refrain from clicking on any suspicious links found on the compromised wiki pages to mitigate the risk of falling victim to the associated phishing scams. The investigation into the cause of the widespread compromise continued as part of the broader response effort.