Make Websites Safe Again

'Compromised credentials' most likely vector in Trump re-election site defacement

Donald Trump’s official re-election campaign website was briefly defaced on Tuesday (October 27) in an embarrassing rather than serious lapse of security.

As-yet-unknown attackers left a message on claiming they had compromising information on the US president, suggesting a conspiracy theory that “trump-gov is involved in the origin of the coronavirus” as well as supposedly being in cahoots with “foreign actors manipulating the 2020 elections”.

Visitors to the site were encouraged to vote on whether or not this supposed compromising material would be released by sending funds to one of two Monero cryptocurrency wallet IDs, each publicised through the defacement.

Which wallet received the most money would ostensibly determine the outcome of the vote.

Of course, the highly visible defacement on such a high-profile website didn’t stay up for long, so the exercise failed to rake in significant funds.

Gone in a flash

The defacement message – which parodied notices typically posted when the FBI seizes control of web services operated by cybercriminals – was pulled within minutes and the site quickly restored with approved content, encouragements to make campaign donations, or buy Republican Party merchandise.

A post on Twitter by the Trump re-election campaign’s director of communications, Tim Murtaugh, stated that “there was no exposure of sensitive data” because none is stored on the site.

Catch up on the latest election security news

The Trump campaign was “working with law enforcement authorities to investigate the source of the attack”, he added.

Donald Trump’s campaign website is hosted using ExpressionEngine, a content management system, and served through Cloudflare’s content delivery network.

Donald Trump's re-election campaign website was briefly defaced on October 27Donald Trump’s re-election campaign website was briefly defaced on October 27

Wordfence analysis

In the wake of the short-lived attack, researchers from web security firm Wordfence offered some analysis of how the hack might have been carried out.

Since the campaign site was protected by Cloudflare, the attackers would not have been able to access it via FTP or SSH unless they knew the origin IP, Wordfence reasons.

This makes the possibility that the origin server was hacked via FTP or SSH the “least likely possibility”.

While it is possible that a vulnerability in ExpressionEngine was exploited to deface the Trump campaign’s main website, the proprietary software has few publicly known vulnerabilities.

Abuse of ExpressionEngine vulnerabilities, much less zero-day exploits, therefore seems improbable, the researchers suggest.

Compromised credentials

After downplaying the less likely attack vectors, Wordfence concluded that the defacement was most likely carried out after compromised credentials were used to sign into the admin panel of ExpressionEngine CMS powering the Trump re-election website.

“Although compromised credentials are by far the most probable intrusion vector…  without forensic evidence to verify these theories, we cannot definitively know how the site was compromised,” the security firm notes.

The privacy-focused Monero cryptocurrency uses an obfuscated public ledger, and this makes simply following the money an unlikely route to finding the cybercriminals behind the high-profile hack.

Wordfence’s technical analysis of the possible mechanism of the Trump campaign website hack concludes that aside from safeguarding login credentials, the attack underlines the importance of applying secondary authentication controls – a lesson of relevance across multiple industries.

“Almost every possible scenario includes reused credentials being exploited to gain access to the site,” Wordfence concludes. “In almost every case, having two-factor authentication enabled would have prevented such a scenario from occurring.”

READ MORE German armed forces launch security vulnerability disclosure program