Nextcry or how a hacker tried to exploit a NGINX issue with 2 Nextcloud servers out of 300.000 hit and no payout

As you might have read in various news outlets, an attacker has been trying to use a known and reported NGINX/PHP-FPM bug (CVE-2019-11043) to break into servers. After breaking into the server and gaining control, the attacker used a compiled python script that encrypts data in the Nextcloud data folder and unsuccessfully tried to get ransom paid for decrypting it. The servers that were broken in were two private servers. As most Nextcloud users don’t use NGINX and those who did have largely updated following our warnings 3 weeks ago, only these 2 servers out of 300.000 are known to be compromised and no ransom payments to the bitcoin address have been made.

As the attacker gained full control over the server through a bug outside the control of Nextcloud, we could not do anything other than warn our users to update and secure their servers. For this we reached out through social media, mailing lists and our blog and also used our administrator notification feature to reach out to all server administrators (who did not disable this feature).

We repeat our official statement to the press below.

We are confident that the attack vector was the nginx+php-fpm security issue that hit the web some time ago.

While it was not an issue in Nextcloud itself, we informed our users through all channels we had available, including a direct notification to all administrators of Nextcloud servers. This likely explains why so few servers were impacted out of the hundreds of thousands of Nextcloud servers on the web.

We consider it a lesson that shows the value of taking security serious. We urge other PHP based projects to also issue warnings to their users about this issue, as this vulnerability persists for some.

Some background on the issue:

PHP bug report: https://bugs.php.net/bug.php?id=78599

Our blog: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

CVE: nvd.nist.gov/vuln/detail/CVE-2019-11043

So the “task” of the hacker was:

  1. read our blog
  2. find Nextcloud servers
  3. Try to execute the exploit of php_fpm+nginx

The attacker bothered to write a python script to explicitly target Nextcloud servers. We hope the lack of results will help act as a deterrence from doing this in the future.

Given we have a USD 10K security bug bounty program, we’d expect most hackers that find an issue in Nextcloud serious enough to do this to report it to us.

Until now, nobody has found such a serious vulnerability, but if you think you know one, please report it and collect your bounty! We are the only on-premises file sync and collaboration solution with such a big bounty, showing how serious we take security.

Bleepingcomputer which first reported this issue noted about the bitcoin wallet the attacker used:

no transactions have been recorded until now

While we are of course sorry for the two users who’s servers were hit, we are also glad that this incident shows that our prompt and (by some called over-the-top) response to the security issue in NGINX and PHP-FPM was effective in helping protect our users from the risk.