Cyber Incident Victim: Northwestern University

On or around April 19, 2023, a malicious spam campaign targeting university websites was identified and investigated. The campaign involved the compromise of wiki and documentation pages hosted by numerous prominent U.S. educational institutions. Researchers observed that sub-domains belonging to universities including Stanford University, the Massachusetts Institute of Technology (MIT), the University of California, Berkeley, the University of Massachusetts Amherst, Northeastern University, and the California Institute of Technology (Caltech) were affected. Subsequent confirmation by BleepingComputer verified that the campaign was active and had also targeted the University of Michigan, expanding the known scope of the incident. The primary targets were websites running either the TWiki or MediaWiki content management system platforms, with the latter being the same software that powers Wikipedia.

The attacker's actions involved uploading spam pages to the compromised wiki sites. These fraudulent pages were designed to lure visitors with promises of free digital rewards. The content specifically promoted offers for 'Fortnite Bucks,' which is the in-game currency for the popular video game Fortnite, as well as 'free gift cards' and cheats. These pages served as gateways to bogus external sites that loaded counterfeit Fortnite pages. These fake pages were effectively phishing forms that prompted unsuspecting users to enter their personal credentials, putting their account security at risk. In other observed instances, the compromised sites promised users gift cards but required them to complete fraudulent surveys as a prerequisite, further harvesting user data or generating ad revenue for the attackers.

The campaign's impact extended beyond the academic sector. Although university websites built with MediaWiki were the primary targets, the same threat actors also compromised websites belonging to government entities. This included mini-sites operated by a Brazilian state government. Furthermore, the European Union's official Europa.eu domain was impacted. In this specific case, the spammers abused the Europass e-Portfolio service, a job search portal that allows individuals to create, upload, and store their CVs and cover letters as PDF documents. The attackers uploaded spam PDF documents to this legitimate service, exploiting its functionality to host and disseminate their malicious content.

The technical method of exploitation used to gain unauthorized access and upload the spam content remained unclear at the time of the reporting. The investigation into the root cause was ongoing. While the MediaWiki platform had released security updates the previous month to address multiple vulnerabilities, none of these patched issues appeared to be directly relevant to the tactics used in this specific campaign. This indicated that the attackers may have been exploiting a different, unknown vulnerability, a misconfiguration, or leveraging compromised credentials to carry out their actions. The commonality of the affected platforms, namely MediaWiki and TWiki, strongly suggested the campaign was exploiting a weakness inherent to these systems or their implementation.

The immediate consequence of the incident was the defacement of university and government web properties, damaging their integrity and potentially misleading visitors who trusted the legitimacy of the .edu and .eu domains. A more significant impact was the risk posed to end-users who interacted with the malicious content. Individuals, potentially including students, faculty, and staff of the affected institutions, were tricked into visiting phishing sites that aimed to steal their login credentials for Fortnite and other services. This credential theft could lead to account takeover, financial loss if payment methods were linked, and further privacy violations. The abuse of the Europass service also posed a risk to individuals using the platform for job searches, as their interaction with the legitimate service could have led them to the malicious uploaded documents.

In response to the incident, security researchers provided public notification and analysis of the campaign. The initial discovery was credited to a Twitter user, g0njxa, who identified over a dozen compromised university sub-domains. This public disclosure was followed by independent confirmation and further investigation by cybersecurity news outlets such as BleepingComputer, which worked to expand the list of known victims and understand the campaign's breadth. The primary response action advised for system administrators responsible for MediaWiki and TWiki instances was to conduct thorough sweeps of their websites to identify and remove any spam or malicious content. This cleanup was recommended to focus on resources containing keywords associated with the campaign, such as 'gift card' and 'Fortnite.' Additionally, an advisory was issued directly to users, instructing them to refrain from clicking on suspicious links found on compromised wiki pages to mitigate the risk of falling victim to the associated phishing schemes. The broader response involved continued investigation by security researchers to determine the initial point of compromise and to identify the specific exploit being leveraged by the threat actors.