Potential BlueVM WHMCS Breach

[peterw]

Good morning,

Earlier this morning we were informed that a potential breach of our WHMCS may have exposed user details and passwords. As such we are taking preemptive action in the event that this is even remotely true.

As I write this my staff are shutting down many of our access systems (EG: WHMCS, HyperVM, SolusVM, etc...) and are beginning a full security audit of all of our logs. As part of this clients may not be able to access these systems at this time.

In the event a breach actually occured we will be forcing a password reset on every single user's WHMCS and hypervm/solusvm passwords and will bring these systems online when we feel that the minimum safety precautions have been met.

We strongly encourage all of our users who have not changed their OpenVZ vps passwords to login to SSH at this time and change the password now.

We sincerely apologize for any inconvenience this may cause our users, but we would rather ensure our clients data is protected at all costs than have a larger breach occur. The security of our user's data is our number one priority and we take it very seriously.

AT THIS TIME THE BREACH IS NOT CONFIRMED. WE WILL UPDATE EVERYONE AS WE HAVE MORE INFORMATION

Best Regards,
Justin Johnston


BlueVM Communications LLC

Source

 

[MannDude]

I don't think any data was leaked from what I have heard. But interested in hearing more.

EDIT: 14,000th vpsBoard post

 

[peterw]

EDIT: 14,000th vpsBoard post

Where are the balloons and the confetti?

 

[ChrisM]

Where are the balloons and the confetti?

 

[MannDude]

Ok, back on topic though. Curious to learn more about the potential breach. BlueVM frequents here so I'm sure we'll get an update soon.

 

[Marc M.]

Kudos to @BlueVM for transparency   and for how he handled everything.

 

[peterw]

Looks like https://twitter.com/TwoDayExploit and https://twitter.com/YouAreBangTidy play games. Second one does not like BlueVM.

 

[BradND]

Ouch anymore information on this?

 

[wlanboy]

Did not get any email.

Why posting this on LET but not as an announcement to their customers?

 

[mikho]

Did not get any email.


Why posting this on LET but not as an announcement to their customers?

Me neither, posting it on LET only is like telling the world that LET is their new helpdesk/anouncement board.


It's a small world but not that small.

 

[Magiobiwan]

Well, we'd taken down WHMCS, making it somewhat hard to send a mass-email out.

 

[mikho]

Well, we'd taken down WHMCS, making it somewhat hard to send a mass-email out.

I'm sorry but thats a pretty lame excuse. There are ways to get the customers information directly from the database or just blocking external access to the WHMCS installation. I can understand that the first thing to do is to "kill" all access to it, second thing to do is to start looking. At this stage you have access to all the information to make a public announcement, like sending an email to your customers. Especially when it comes to asking your customers to change passwords on their vps.

If the Solus hack hadn't happened last week, I would probably not know about it until this thread was made since I rarely visit LET (more now after the hacks).


Was there a post on facebook or twitter about this? Did you post that information somewhere else then on LET?


Read this as constructive feedback, I'm not mad, perhaps a bit upset but not mad and I hope that next time will be better.

 

[Aldryic C'boas]

Well, we'd taken down WHMCS, making it somewhat hard to send a mass-email out.

Wouldn't it make more sense to simply ACL your WHMCS directory, so that your admins could still touch on open tickets (and use the mass mail function)? 

 

[peterw]

What attack vector was used? WHMCS itself?

 

[wlanboy]

They just stated that they think that something happend.

Maybe php responses with a lot of data or calls of scripts that should not be able be called by everyone.

Thumbs-up that they published it.

 

[HalfEatenPie]

There was an individual who claimed that BlueVM's WHMCS database was compromised.  Initially they took down their installation of WHMCS and SolusVM.  Upon further investigation their WHMCS installation was not compromised and the "hacker" never delivered on their threat. 

tl;dr: The "attacker" was full of hot air.  

Wouldn't it make more sense to simply ACL your WHMCS directory, so that your admins could still touch on open tickets (and use the mass mail function)? 

 

Or you know...  temporarily only allow IPs that are whitelisted via iptables to access WHMCS installation? 

 

[Magiobiwan]

We'll be releasing a statement about this soon (as soon as Justin has time to type it up. He's busy with other things right now that are a little bit higher priority). Short form is this though: We weren't actually compromised. There is no dump (except for the ones WE took immediately after seeing the tweet). Again, official release to follow soon.

 

[BradND]

He's busy with other things right now that are a little bit higher priority

Not sure if serious or trolling...

How can anything be more important than your whmcs install? You still haven't updated customers either. 

 

[Magiobiwan]

Well, he has family stuff going on. Somewhat important family stuff. Again, I'm trying to see when ee'll have a statement ready for distribution.

 

[BlueVM]

I apologize for my delay in making this statement. This incident could not have happened at a worse time. My move from Hawaii to Colorado began this week and as part of that I had to pack up everything in my house, file a ton of paperwork, ship my car (military shipment), etc... As part of that I'm writing this from an entirely empty house as I wait until Monday to finalize the paperwork I need to get out of the military.

My staff discovered a tweet from TwoDayExploit on the 25th of June. The tweet stated that TwoDayExploit had dumped our WHMCS database and would release the passwords and data shortly. Around the same time a large outflow of data was detected by our monitoring system setup. It was at that time we decided to take the entire VPS responsible for our billing system offline (along with hypervm) to run through the logs and detect exactly what had happened. We posted the message on LET (VPS Board was down at the time) and on our twitter feeds. I had intended to issue everyone an email about it, but my circumstances called me away to handle my move. My staff picked up the torch and continued to scan through the logs and check for any possible breach.

Around the time of the Twitter post someone uploaded a png image to our service as part of a ticket consisting of 1 MB of raw randomized text (no actual image). They then proceeded to load up that "image" from our site several hundred times, making the data flow outbound appear abnormally high until we took down our WHMCS installation. A review of the logs showed the image being loaded up and confirmed our hypothesis: There was no breach. As such we restarted the system and felt that it was unnecessary to email everyone about the incident due to the fact that we had already confirmed it fake. We appreciate everyone's support during this time and once again I apologize for the lack of communication on my end.