Compromised Credentials used by Hackers to Access the Content Management System

Hacker

Security analysts suspect that hackers used stolen passwords to access the content management system behind the website of Donald Trump’s campaign.

Hackers managed to hack into the website on Tuesday and modify the content on it. The message ‘This domain was confiscated’ was posted on donaldjtrump.com for a brief amount of time.

Trump campaign spokesman Tim Murtaugh, who also announced that law enforcement had been called on to investigate, reported the attack. He also said no personal data had been compromised.

The hackers said they managed to compromise confidential details on President Trump in the message posted on the website. They also provided two wallet IDs for cryptocurrencies, stating that if visitors sent money to them, they will release the details.

A Pretty Decent Privacy (PGP) public key was also included in the letter, which can be used to validate possible communications allegedly coming from hackers.

trump-site-hacked

The hackers most likely used stolen login codes, allegedly targeting the underlying Expression Engine content management system ( CMS), which is an alternative to WordPress, according to WordPress protection solutions provider Defiant, which produces the Wordfence product.

Although the content of the site was immediately restored, hours after the event was fixed, the “Privacy Policies” and “Terms & Conditions” sections also provided a “404 page not found” bug.

This suggests that the content management system itself, rather than the Cloudflare setup, has changed something. We also assume that the CMS being hacked is, therefore, more likely to be compromised than Cloudflare, Defiant says.

The platform uses Cloudflare as a content delivery network ( CDN), and Defiant insists that this could only have been used as an entry point if the perpetrators understood the secret IP of the domain hosting the platform. Thus, it is less plausible that this attack vector was used.

If the perpetrators had access to the Cloudflare account of the initiative and were able to direct the domain to their own IP address, merely pointing it to the correct IP address would have restored the entire website.

The concerns with the “Privacy Policy” and the “Terms & Conditions” pages, however, indicate that this was not the vector of attack.

The use of stolen passwords to enter the account where the donaldjtrump.com domain was registered would be much less likely; potential enter through FTP or SSH (would require not only FTP or SSH passwords, but also knowledge of the IP address of the root of the site); or the use of a zero-day Expression Engine bug, which has little known vulnerabilities, Defiant says.

About any possible situation entails the use of reused passwords to obtain access to the website donaldjtrump.com. Having 2-Factor Authentication allowed in virtually any case would have stopped such a situation from happening. It is also a reminder that it is critical not only to allow 2-Factor Authentication on the administrative panel of your website but on any service it provides, even services that you might not think of as insecure, concludes Defiant.

The attack comes shortly after a Dutch security researcher reported that by guessing his password, which he said was “maga2020!” he acquired access to Donald Trump’s Twitter account. ”. The arguments have been refuted by the White House and Twitter and the researcher has yet to provide any definitive proof.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.