Donald Trump the current American president, who is seeking re-election by the American via his party , The republican and as a project a website was designed as part of the campaign strategy. But that is not the reason for this post. The news here is that, On October 27, 2020 at approximately 4:50pm Mountain Time, this campaign website,, was defaced. The attackers left a message claiming they had compromising information on President Trump. The defacement page contained two Monero cryptocurrency wallet IDs encouraging visitors to “vote” by sending cryptocurrency to the wallets, indicating that if the first wallet received more money than the second wallet, the attackers would release this compromising information. And while the site was compromised, visitors were greeted with the following:

Donald Trump’s campaign website is hosted using Expression Engine, which is a content management system,

However take a look at the facts surrounding this incident and what lessons we might learn as posited by ever reliable and dependable Wordfence technical team, as an insight to understanding how to manage and protect your business website as well as the choice of CMS and hosting platform.

Technical Analysis

The campaign website made use of the Expression Engine CMS, a commercial CMS with few known vulnerabilities. The site used Cloud flare as a content delivery network (CDN).

Since the site was protected by Cloud flare, the attackers would not have been able to access the site via FTP or SSH unless they knew the Origin IP, that is, the IP of the server hosting the site. When a site uses cloud flare, the cloud flare servers are what site visitor’s access, rather than the ‘origin’ server that actually contains the content and any web application. Cloud flare tries to hide the origin server IP address, making it difficult to access that server unless you can discover the IP address.

The defacement page itself displayed two XMR (Monero) wallets. Monero is a cryptocurrency popular amongst threat actors because it uses an obfuscated public ledger. This means that, while transactions are recorded, they’re not currently traceable. This makes it impossible for outsiders to discover who sent money to each wallet or the amounts involved.

The attackers also left a Pretty Good Privacy (PGP) Public Key on the defacement page. A PGP Public Key can be used to verify signed messages and ensure that a message sender is the same person who posted the public key. If the attackers later decided to release information, they could prove they were the same threat actors who defaced the site by signing released information with their private key.

Only information signed with their private key would be verifiable using the published public key. In this case, the Public Key appears to correspond to a nonexistent email address, Nonetheless, wordfence have provided the PGP key for posterity:                                                                                                               

Potential Intrusion Vectors (IVs)

There are several possible intrusion vectors, or mechanisms that the attackers could have used to gain access and deface the Trump campaign website. We describe several possibilities below, but to be clear, without forensic evidence to verify these theories, we cannot definitively know how the site was compromised.

In each case, compromised credentials are by far the most probable Intrusion Vector. A Dutch Researcher recently claimed to have accessed Trump’s Twitter account using the password “maga2020!”. Trump’s Twitter account was also hacked In 2016 when a data breach revealed that he was using the password “yourefired”.

IV: Compromised credentials used to sign into Expression Engine – High Probability

Expression Engine, like most content management systems, provides an administrative panel for publishing content. By default this is located at /admin.php. On, however, the admin login has been relocated to a different location, an example of security through obscurity.

The Internet Archive indicates that the last time the admin page was accessible in the default location was in June of 2015. Even in this hidden location, if an attacker was able to access the administrative panel they would have been able to alter any content on the site, though they would not have had access to any sensitive information.

The “Privacy Policy” and “Terms & Conditions” pages are displaying a “404 page not found” error hours after the site has been restored. This indicates that something changed on the content management system itself, rather than on the Cloudflare configuration. So we believe that the CMS being compromised is therefore a higher probability than Cloudflare being compromised, which we describe below.

IV: Compromised credentials used to sign into Cloudflare – Medium Probability

If an attacker was able to sign into the campaign’s Cloudflare account, they could have pointed the domain to an IP address under their control, effectively replacing the site’s content with the content on their own hosting account. This might also explain how the campaign was able to “restore” the original site content so quickly.

Simply pointing the domain back to the correct IP would have reverted the defacement. The fact that some pages on the site, such as the “Privacy Policy” and the “Terms of Service” are still displaying 404 errors at the time of our publication indicates that this is a less likely intrusion vector.

IV: Compromised Credentials or Social Engineering used to change domain nameservers at registrar – Low Probability

This would work using a similar mechanism to the Cloudflare compromise. If an attacker was able to login to the account where the domain was registered, or socially engineer their way into the account at the domain’s registrar, they might have been able to point it away from Cloudflare’s nameservers and to nameservers under their control.

The fact that some pages on the site are still displaying 404 errors indicates that this is a less likely possibility. Additionally, nameserver changes typically take long enough to propagate that the defaced page would likely still be visible from some locations.

IV: Origin server hacked via FTP or SSH – Low Probability

This is the least likely scenario since the attackers would need to know the site’s origin IP address as well as the FTP or SSH credentials for the site’s hosting account in order to connect directly to the site without being blocked by Cloudflare.

IV: Web Application Vulnerability – Low Probability

While it is possible that vulnerability in Expression Engine was exploited, Expression Engine has had few known vulnerabilities and the chances of a 0-day vulnerability in this CMS remaining unknown for long are low. Additionally, a vulnerability or exploit chain would be required to allow privilege escalation or remote code execution in order for the attacker to deface the site in this manner.

Takeaway Lessons

Almost every possible scenario includes reused credentials being exploited to gain access to the site. In almost every case, having 2-Factor Authentication enabled would have prevented such a scenario from occurring. It’s also a reminder that it is important to enable 2-Factor Authentication not only on your website’s administrative panel, but on every service that offers it, including services you might not think of as being vulnerable.

If the credentials you are using have been exposed in a data breach, it doesn’t matter how secure the service you’re using is. By enabling 2-Factor Authentication, you add an extra layer of protection.

While Wordfence doesn’t offer protection for Expression Engine, we do offer best-in-class protection for WordPress. This includes 2-Factor Authentication as a completely free feature.

Don’t wait for an attacker to guess your password. Turn on 2-Factor Authentication to protect your web assets.

This entry was posted in WordfenceResearch on October 27, 2020 by Mark Maunder