Dear Maplegrove Customers,

On 11/25 our networks observed unusual mail traffic being relayed through our systems. Upon further investigation we discovered spam was being relayed through our outbound gateway as a result of a compromised customer WordPress instance. This report summarizes the incident and the security steps we have taken to resolve this issue. If you are hosting a WordPress website with us please consider reading through this advisory in detail. We will also send separate guidance directly to customer(s) impacted in our shared-managed hosted environment. If you do not receive follow-up communication directly, you are not impacted by this advisory. You may wish to read specific sections based on the relevance/interest you may have regarding this alert (SUMMARY, IMPACT, RESOLUTION).

SUMMARY

After a review of our mail logs we quickly determined the offending website instance. No active malware or anti-virus signatures in our database were able to detect the malware, but we identified the custom files that had been placed onto this customer’s hosting environment. We “reverse-engineered” and studied the malware further to re-create the capabilities employed by the unauthorized access. Our analysis led us to discover that a custom shellcode had been loaded to try and obtain system privileges. We identified the point of entry as being a vulnerable WordPress plugin, “Google Analytics Counter Tracker,” which allowed for custom PHP code to be injected directly into the customer website. This vulnerability was discovered and made accessible on 11/15/2016.

https://www.pluginvulnerabilities.com/2016/11/15/vulnerability-details-php-object-injection-vulnerability-in-google-analytics-counter-tracker/

CUSTOMER IMPACT

No customer email services or dedicated hosting environments were impacted by this infection as these services are isolated. We identified that the loaded shellcode was likely automatically installed, which we assess based on the infection date and vulnerability disclosure date being the same. We also observed in our web logs regular interval traffic, suggesting that the infection was launched and executed automatically. The offending IP address is: 217.28.218.227. This host continues to try and make contact after the infection was removed, suggesting an automated botnet coordinating email spam delivery. Our network is dropping all packets from the originating source.

We do assess, however, that had this shellcode been employed and used by an individual manually managing the compromise, the potential to break out of the managed web host containers and read other database configuration files was possible, as an unprivileged, non-administrative entity. Although the evidence suggests this was automated, we cannot rule out that these configuration files or other web-based files could have been read for individual web applications in the same environment. No forensic evidence or review suggests that this happened, but we have taken the following steps to ensure adequate resolution and security posture.

RESOLUTION

Maplegrove has taken the following steps to remediate the issue and improve security posture:

1. The webserver(s) responsible for our managed hosting/podcast community package have been modified to prohibit certain PHP functions from being executed, to prevent future compromises from being able to utilize techniques to escape the customer’s individual website host. This protects our containerization strategy and ensures the compromise of an individual customer website will not impact other customer containers nearby.

2. All WordPress / community sites that we are authorized to automatically manage for our customers have been patched and updated to the latest release. Plugins have been updated and reviewed to ensure similar vulnerabilities to the one reported are not present in other customer installations.

3. All database application servers will have passwords rotated. Our database hosting environment is not accessible from the internet, but we have taken this as an extra precautionary step.

4. Queued emails with illegitimate mail were expunged and updated. We have ensured IP rating and reputation are at full functionality and that mail is delivering to commercial ISPs as expected.

5. Our edge network is blocking all future packets from the offending source of this attack, and monitoring alerts are being configured to directly alert on new sources that may impact customers in the future.

Maplegrove takes seriously the security and integrity of our systems and resources. Should you have any questions about this advisory or any potential impacts, please reach out to us directly or open a support ticket with us.