Nextcry or how a hacker tried to exploit a NGINX issue with 2 Nextcloud servers out of 300.000 hit and no payout

Originally published at: https://nextcloud.com/blog/nextcry-or-how-a-hacker-tried-to-exploit-a-nginx-issue-with-2-nextcloud-servers-out-of-300-000-hit-and-no-payout/

As you might have read in various news outlets, an attacker has been trying to use a known and reported NGINX/PHP-FPM bug (CVE-2019-11043) to break into servers. After breaking into the server and gaining control, the attacker used a compiled python script that encrypts data in the Nextcloud data folder and unsuccessfully tried to get ransom paid for decrypting it. The servers that were broken in were two private servers. As most Nextcloud users don’t use NGINX and those who did have largely updated following our warnings 3 weeks ago, only these 2 servers out of 300.000 are known to be compromised and no ransom payments to the bitcoin address have been made.

As the attacker gained full control over the server through a bug outside the control of Nextcloud, we could not do anything other than warn our users to update and secure their servers. For this we reached out through social media, mailing lists and our blog and also used our administrator notification feature to reach out to all server administrators (who did not disable this feature).

We repeat our official statement to the press below.

We are confident that the attack vector was the nginx+php-fpm security issue that hit the web some time ago.

While it was not an issue in Nextcloud itself, we informed our users through all channels we had available, including a direct notification to all administrators of Nextcloud servers. This likely explains why so few servers were impacted out of the hundreds of thousands of Nextcloud servers on the web.

We consider it a lesson that shows the value of taking security serious. We urge other PHP based projects to also issue warnings to their users about this issue, as this vulnerability persists for some.

Some background on the issue:

PHP bug report: https://bugs.php.net/bug.php?id=78599

Our blog: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

CVE: nvd.nist.gov/vuln/detail/CVE-2019-11043

So the “task” of the hacker was:

1. read our blog
2. find Nextcloud servers
3. Try to execute the exploit of php_fpm+nginx

The attacker bothered to write a python script to explicitly target Nextcloud servers. We hope the lack of results will help act as a deterrence from doing this in the future.

Given we have a USD 10K security bug bounty program, we’d expect most hackers that find an issue in Nextcloud serious enough to do this to report it to us.

Until now, nobody has found such a serious vulnerability, but if you think you know one, please report it and collect your bounty! We are the only on-premises file sync and collaboration solution with such a big bounty, showing how serious we take security.

Bleepingcomputer which first reported this issue noted about the bitcoin wallet the attacker used:

no transactions have been recorded until now

While we are of course sorry for the two users who’s servers were hit, we are also glad that this incident shows that our prompt and (by some called over-the-top) response to the security issue in NGINX and PHP-FPM was effective in helping protect our users from the risk.

I know it’s a bug in PHP-FPM, but I could not find any references if people who are using Nextcloud with NGINX and uWSGI are actually safe.

The NGINX config for uWSGI looks very similar to the NGINX config for PHP-FPM so I am still thinking that this could potentially also apply to Nextcloud on uWSGI setups. Any dementi for this theory?

I am not sure, but I absolutely would make sure to run a version of PHP that has this issue fixed… Those should be available for your distribution by now.

Note that each the configuration change AND the PHP update make the system safe, independently. Of course, I’d suggest you do both, but one is enough if you’re worried.

For the 2 servers that did get hit, wouldn’t the Ransomware recovery app help them get their ransomed data back without paying the ransom? Even without it, you should be able to get back the data using Nextcloud’s built-in file versioning.

Seems like it might be nice to highlight this in the article (or a different one) since it further illustrates that ransomware attacks on Nextcloud should usually be ineffective. Might be a bit of deterrence for future attacks (and hopefully not motivation to disprove this).

No, this app is intended to monitor syncing from compromised (probably mostly Windows) clients that try to upload files encrypted by ransomware. It requires a non-compromised Nextcloud server.

For your second remark: backups, backups, backups. With a 3-2-1 strategy at least. Can’t repeat it often enough. It is the only thing that protects one against ransomware.

As Alfred already said, this unfortunately does not work. The server was 100% compromised because of the NGINX issue and there was nothing Nextcloud could do. At this point you can’t use server apps like our ransomware protection or versioning to roll back the changes - as everything was encrypted on the server…

Those tools do protect you against the much more common case of ransomware on clients.

Hi, I didn’t got that information.
Through which mailing list did you send it? I’m subscribed to the Nextcloud newsletter, but there hasn’t been a mail about this issue.
What administrator notification feature do you mean exactly?

(Fortunatley I’m not affected, but I really want to get these kind of informations instantly in future.)

I had it in the Web-Interface, saw it here and thats it.

Hi @wdfee - we used the release mailing list I believe, not the usual informative newsletter. I can’t check atm, seems I broke our newsletter system by hitting a wrong button to clear some caches
Anyway, we also send an admin notification, the same as we did some time ago for the Nextcloud Conference. This generates a notification for the admin users and everyone in the group that should receive such notifications - https://github.com/nextcloud/notifications/issues/426

Yes it is unwise to turn that off because you get 1 notification per year there and feel spammed by that… But of course that’s a decision for the sysadmin. And we’ll try and make this better - not all servers have a sysadmin who uses it directly.

Hi @jospoortvliet, that’s strange. I’m in the release mailing list (and in the usual newsletter and Conference newsletter) and didn’t got such an email. Only announcements for new versions.
I have two Nextcloud instances, in both turned the announcement feature on (admin group activated, I am the admin), none of them both received a notification about this.

@wdfee let me check then where we send it out…

– ok, so we did NOT do a newsletter to the public right away, I thought we did We did the notification, blog and social media, but the newsletter mention was only in the November 12 newsletter, as a special warning in the top section.

We don’t really have a separate security list, but I think the release announcement list would be the best place for this going forward.

WRT the notification, if you don’t have the feature deactivated and you’re admin, but did not get the notification, that is really weird… I got it on my private one too, and given some responses from people it must have worked. As we can’t only send a notification to one server we can’t really test it beyond that. You checked the settings, I presume? Did you get the conference notification?

The feed that your server pulls is edited by us here:

See https://github.com/nextcloud/announcer/pull/2/files for the actual announcement.

Always a good way to start with staying reasonable, I guess.

Just being not that much reasonable:

Happy hacking.