November 19, 2019
We are confident that the attack vector was the nginx+php-fpm security issue that hit the web some time ago.Until now, nobody has found such a serious vulnerability, but if you think you know one, please report it and collect your bounty! We are the only on-premises file sync and collaboration solution with such a big bounty, showing how serious we take security. Bleepingcomputer which first reported this issue noted about the bitcoin wallet the attacker used:
While it was not an issue in Nextcloud itself, we informed our users through all channels we had available, including a direct notification to all administrators of Nextcloud servers. This likely explains why so few servers were impacted out of the hundreds of thousands of Nextcloud servers on the web.
We consider it a lesson that shows the value of taking security serious. We urge other PHP based projects to also issue warnings to their users about this issue, as this vulnerability persists for some.
Some background on the issue:
PHP bug report: https://bugs.php.net/bug.php?id=78599
Our blog: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
So the “task” of the hacker was:
The attacker bothered to write a python script to explicitly target Nextcloud servers. We hope the lack of results will help act as a deterrence from doing this in the future.
- read our blog
- find Nextcloud servers
- Try to execute the exploit of php_fpm+nginx
Given we have a USD 10K security bug bounty program, we’d expect most hackers that find an issue in Nextcloud serious enough to do this to report it to us.
no transactions have been recorded until nowWhile we are of course sorry for the two users who’s servers were hit, we are also glad that this incident shows that our prompt and (by some called over-the-top) response to the security issue in NGINX and PHP-FPM was effective in helping protect our users from the risk.