We are victims of the AcyMailing remote code execution vulnerability as well and our site got hacked. AcyMailing is a widely used extension in the Joomla community so it is a hard incident as many sites are affected. Unfortunately we too.
Digital Peak is using AcyMailing as newsletter extension for the sole reason that we care about your privacy and didn't want to give your e-mail address to a 3rd party service. Unfortunately this hit us back now. In mid April started the first attacks and probably went on till the fixes are released. So there was plenty of time for the hackers to infect the web site and inspect it. The vulnerability itself allowed execution of remote code as a none authenticated user, the hackers placed files on the web server and could then, with a reverse shell, execute commands on the web site like exporting the database or modifying files.
As soon as we got aware about the issue, we took the site offline and rebuilt it from scratch, to ensure that no malicious files are placed on the web server. Additionally we enabled a web application firewall and did some extra security checks, nothing looks suspicious anymore. There are also no admin users created or other backdoors used to keep access after the cleanup. So we are confident now that we are back to normal.
As we don't store any confidential information like credit card information or paypal password from you on our web server, there is no chance that they get stolen during this hack. But it is very likely that your subscription information like the company address, username and email got exported from the database. If you have posted any passwords in our support management tool, please make sure that they are fully revoked (you should do that anyway as as soon as we have solved the support case). Joomla uses the highest standard to encrypt your password, so it is unlikely that they can reveal your real password if they have exported the users table. Nevertheless you have to reset your password on the next login. It's an extra security measure, to be on the safe side.
Extensions
We build our extensions not on the web server but directly from github. Like that we can be sure that they contain the newest and safest code. So we rebuild the newest version of every extension and uploaded them to the web space after we cleaned it up. We have also unpublished the old extension versions, so nobody can download them anymore. Beside that we checked all the hashes from the old versions with the ones in the database and they look correct. A check is done on the distributed packages if they contain the backdoors from the vulnerability of AcyMailing, nothing was found. Also no timestamp indicates that they got manipulated after the initial upload.
Timeline
Here is the timeline of actions:
- 1. February 2023: RCE Vulnerability got reported to AcyMailing
- 30. March 2023: First fix is distributed
- Mid August 2023: AcyMailing distributes further fixes
- 24. August 2023: Joomla community gets aware about the importance of the vulnerability
- 24. August 2023: Digital Peak does erase the web space and creates a new web site completely from scratch
- 25. August 2023: Digital Peak does checking the distributed extension packages and does further analysis of own web sites with their extensions installed if vulnerable
- 26. August 2023: Started to inform first clients by mail about the hack
- 28. August 2023: Finished to inform all clients by mail about the hack (It took that long due some provider restrictions of a new account including that it was over the weekend)
- 29. August 2023: Uploaded new builds of the distributed packages and unpublishing all old versions
- 30. August 2023: Delete all download ID's to prevent abuses
- 31. August 2023: Release of new patch versions which are almost the same as the ones from 26. August 2023 to make sure that nobody has an old package installed
Links
A list of links which might be helpful to get some more information about the AcyMailing vulnerability:
- https://www.bugbounty.ch/en/advisories/cve-2023-28731
- https://www.acymailing.com/acymailing-security-update-%f0%9f%94%90-v8-5-0
- https://www.acymailing.com/acymailing-release-security-%f0%9f%94%90-news-updates
- https://joomlacommunity.cloud.mattermost.com/main/channels/town-square/4qfj3314sj8quf7wqn1ke86hqw
- https://www.cvedetails.com/vulnerability-list/vendor_id-17819/product_id-57991/Acyba-Acymailing.html
All in all it looks like that it was not a targeted hack, that we were one of many which were affected by the AcyMailing vulnerability. But we are aware that this is a bad situation for you and us and are taking measures that that it wont happen again. We deeply apologize and when you have further questions, don't hesitate to contact us through the contact form.
Kind regards
Allon Moritz aka laoneo
Founder of Digital Peak