Cyber Incident Victim: California Institute of Technology

On or around April 19, 2023, a malicious campaign was identified targeting university websites utilizing the MediaWiki and TWiki content management systems. The campaign involved the compromise of these web platforms to host and serve spam content. Researchers observed that wiki and documentation pages hosted by multiple prominent U.S. universities were compromised. The California Institute of Technology, commonly known as Caltech, was among the institutions confirmed to be affected by this incident. Other universities impacted included Stanford, the Massachusetts Institute of Technology (MIT), the University of California, Berkeley, the University of Massachusetts Amherst, and Northeastern University. Subsequent confirmation revealed that the University of Michigan was also a target of the same campaign.

The primary action taken by the threat actors was the unauthorized upload of spam pages to the compromised wiki sites. These uploaded pages were designed to lure visitors with offers of free digital goods. The content specifically promoted 'Fortnite Bucks,' which is the in-game currency for the popular video game Fortnite, as well as 'free gift cards' and cheats. The pages served as landing pages that redirected users to external, bogus websites. These external sites were designed to mimic legitimate offers but were instead phishing forms engineered to harvest user credentials. In some instances, the sites prompted users to complete fraudulent surveys under the false pretense of earning gift cards.

The scope of the incident extended beyond the educational sector. Although the primary targets were university websites, evidence indicated that government websites were also compromised by the same threat actors. This included mini-sites operated by a Brazilian state government and services hosted on the European Union's Europa.eu domain. Specifically, on Europa.eu, the threat actors abused the Europass e-Portfolio service. This service is a job search portal that allows users to create, upload, and host their CVs and cover letters as PDF documents. The attackers exploited this functionality to upload spam PDFs containing similar fraudulent offers, thereby leveraging the legitimacy of the government domain to host their malicious content.

The technical method of compromise remained unclear at the time of the reporting. It was not determined what specific vulnerability or exploit was leveraged by the threat actors to gain the ability to upload content to the wiki platforms. MediaWiki, the software that powers Wikipedia, had released security updates the previous month to address multiple vulnerabilities. However, an initial assessment indicated that none of those patched vulnerabilities appeared to be directly relevant to the ongoing malicious campaign. The exact initial access vector, whether it involved a software flaw, a misconfiguration, or compromised credentials, was not publicly identified.

The impact of the incident was twofold, affecting both the integrity of the affected organizations' web presence and posing a risk to their visitors. For the organizations, including Caltech, the compromise resulted in the defacement of their subdomains and the misuse of their infrastructure to host malicious content. This damaged the reputation and trustworthiness of their online services. For visitors to these compromised wiki pages, the impact was the potential for credential theft and falling victim to scams. Users who interacted with the links and submitted information to the phishing forms risked having their account credentials stolen.

Detection of the incident occurred through external researchers. On April 20, 2023, a Twitter user named g0njxa publicly identified over a dozen compromised sub-domains belonging to U.S. universities that were serving the Fortnite spam. This public disclosure was followed by analysis and confirmation from cybersecurity news outlets, including BleepingComputer, which verified that the campaign was live and had targeted additional scholastic websites. The role of threat intelligence analysts, such as Gi7w0rm, was also acknowledged in bringing attention to the widespread campaign.

In response to the discovery, the public reporting served as the primary method of notification to the affected organizations and their system administrators. The articles published contained direct guidance aimed at the administrators responsible for maintaining MediaWiki and TWiki instances. The recommended response action for these administrators was to sweep their websites for any spam and malicious content. This involved conducting thorough reviews of their wiki pages and uploaded resources, with a specific focus on identifying content containing keywords associated with the campaign, such as 'gift card,' 'Fortnite,' and other related terms. A secondary public response was a warning directed at users, advising them to refrain from clicking on suspicious links found on compromised Wiki pages to mitigate the risk of credential theft.

The consequences of the incident were the continued presence of malicious content on high-value, legitimate domains, which increased the likelihood of users trusting and interacting with the scams. The use of .edu and .gov domains provided a veil of legitimacy to the phishing campaigns, making them more effective and dangerous than if they were hosted on less reputable domains. The incident highlighted a vulnerability in the security posture of academic and governmental web infrastructure, specifically concerning third-party content management systems like wikis, which may not receive the same level of security scrutiny as primary institutional websites. The full extent of the compromise, including whether any user data was successfully stolen from individuals who interacted with the phishing sites, was not detailed in the available information. The investigation into the root cause of the widespread compromises was reported to be ongoing.