This topic contains 1 reply, has 2 voices, and was last updated by katyushas_lab 1 month, 1 week ago.
June 18, 2021 at 12:54 am #399383
I am following up on this post I made here:
I will write [hackers] because I don’t know how many they are, where, age, gender, group name, motive (apart from money), etc.
I have had a phone call with the company here and have heard their side of the story. I have also checked other factors which would directly put myself at risk.
The company is VTExperts, who make the paid subscription ion(?)-encrypted Vtiger modules.
I was contacted by [hackers] directly via email. They had breached my VT CRM (logs, dropped files, etc). We did not have any default passwords. I responded to the hackers, thanked them for notifying me of the of the exploit and asked them if they would assist me by telling my how they breached it, and how to protect it. I offered payment for this service. They accepted, and proceeded to tell me that they breached the CRM using the module ‘vtestore’ but declined to tell me the exact procedure. They advised I protect the CRM with an IP whitelisted .htaccess file, and that they can’t fix the exact code since it’s in vtestore and is encrypted – something about them needed an ioncube (?) license. Sounded legit.
I contacted VTExperts, they seemed less than convinced it was their modules at fault.
I asked the [hackers] for some proof, which they happily provided much. I am even developing another CRM using VTExperts – and asked if they were able to breach that. They came back in 10 minutes with my SQL details, including password. The logs show access to files/folders within the vtestore folders. They also showed me screenshots/videos with the VTExperts SVN repo, SQL dump, screenshot of their license panel.
They then breached VTExperts hosted VTiger CRM instances (around 5 servers each containing a number of installations), downloading all SQL data and files. They proved this and showed me a screenshots of files from companies – notable a law firm in the USA (client court documents I think).
They have subsequently “shown off” by changing the login pages of various VT CRM instances.
Why are they showing me? Simple – by strengthening my position as an angry, aggrieved customer of VTExperts, I am strengthening their position to prove the severity of the situation and subsequently their demands/ransom. They are new to this – not an opinion – they outright told me. I happily and selfishly accept this evidence (after my own scrutinisation). How do they get in touch with me? They have all my contact details from VT and I receive various messages, like Signal, Telegram, Wickr, Pastebins, etc. (self destructing messages obviously). Even Reddit.
VTExperts responded by enabling Cloudflare 2FA on their hosted servers.
So, onto my phone call. VTExperts seemed convinced that weak passwords were at play. I showed them my evidence and it they seemed to accept it. They said that they were aware of a CRM breach 10 months ago involving a medical company. They told me that the [hackers] are demanding 40BTC, around $1.5M. They (Tom of VTExperts) said that the [hackers] have been making demands for quite a while.
So it’s been going on for a while. The [hackers] claim that they breached the VTExperts servers/modules 1.5 years ago, and found the first bugs in 2017.
I told (Tom) of VTExperts that I am obviously upset that they were aware there could have been an issue many months ago. I told him that I believe that the [hackers] have been using this time to download masses of data from VTExperts hosted Vtiger CRMs and self-hosted instances. VTExperts license panel (as shown to me in screenshots) has a column listing all Vtiger instances running the software.
I mentioned that there are serious implications in the UK of this kind of breach, and hiding it (GDPR) but that I am unaware of US law.
Tom said that he is considering options. Whether he should go public, and how, or if he should pay a ransom.
Shortly after our phone call, the [hackers] got in touch again and told me that they had set a deadline for their random for VTExperts. They of course enjoy showing how good they are. (Maybe they saw changes in our CRM or VTExperts servers or something?).
I have since found this on the VTiger forums:
Which confirms that the user who contacted me on Reddit is them.
So yeah, in summary, I believe that any VTiger CRM running VTExperts is susceptible to, or has already been breached by these [hackers].
I realise that I may not have handled this situation perfectly (maybe should have announced sooner) and I admit that I was being somewhat selfish making sure that I was not putting myself at risk (legal or otherwise).
For those out there that want something more, here are the logs from when the [hackers] took 10 minutes to breach the 2nd (previously unaffected, new) Vtiger CRM running VTExperts: [https://pastebin.com/94Z2Ah47](https://pastebin.com/94Z2Ah47) – The blank removed lines are access lines from my own IP.
If I answer any significant questions on comments, I’ll add them here.
June 18, 2021 at 12:54 am #399384
I mean, the fact that their plugins have an exposed phpinfo() page (accessed at /modules/VTEStore/vtexpertsphpinfo.php) is a bad sign of code smell.
I can’t see anything obvious in the logs besides that, no POST requests to anything besides the captcha, no GET requests with params that look funky. Got anything else to work with?
June 18, 2021 at 12:54 am #399385
Was going to post in the older post, but this is newer.
Not sure where you’re from, but I can imagine they’d both be willing to help or point you in the right direction.
(Not done this before just stumbled across these in my research a few months ago and thought it may help)
You must be logged in to reply to this topic.