A repo for responses to freedom of information inquiries related to various DNN site compromises on about June 25^th, 2017

Around June 25^th, various news sites began reporting on various city and state government sites being compromised and displaying a pro-ISIS message.

Ars Technica reported that the sites that were reported compromised all used old versions of DNN (previously known as DotNetNuke), and speculated that a vulnerability from May 2016 may have been to blame. With respect to the May 2016 vulnerability, it was unclear if the system administrators for the compromised sites had taken the suggested mitigation steps (remove or block access to certain files only used during installation and updates) in lieu of updating their installation.

It was noteworthy that a critical update for DNN was released on June 21^st, 2017, days prior to these compromises; it was also unclear if the system administrators for the compromised sites had installed this very recent update, or if the vulnerability addressed by the update played any role in the compromises.

DNN described the June 21^st, 2017 update as addressing a flaw in a third-party component used by DNN. Carnegie Mellon University's CERT Division publicly associated the DNN update with Progress Software's Telerik UI for ASP.NET AJAX library and CVE-2017-9248. The Telerik library also had an update on June 21^st, 2017, with the release notes mentioning "security improvements".

Another source reported that, in addition to the update for DNN itself, critical updates were recently released for various modules, including several by Mandeeps, some by DNN GO, and one by EasyDNN. Likewise, it was unclear if any of these modules played a role in the compromises.

In an effort to clarify what vulnerabilities may have been involved in the aforementioned compromises, and how the respective system administrators handled the compromises, requests were sent to various city and state governments for e-mails containing one of several keywords, such as DNN.

The town initially denied my request in full, claiming the records were trade secrets. Later, Donna Lent, the Town Clerk, denied an appeal, claiming that releasing the requested e-mails would jeopardize the security of the town's IT assets.

Renata McGee, the Town Clerk, left a voicemail stating that the Town of New Windsor handled IT services for them and several other municipalities.

At one point, the Town of New Windsor appeared to be assisting with running DNN sites for five other towns:

• Montgomery
• Crawford
• Blooming Grove - URL may have changed
• Highlands
• Cornwall

The WHOIS registrant contact for townofcrawford.org at the time of writing is Patrick Mangan, the Deputy CITO of the Town of New Windsor.

There were also references to:

• Monroe Police Department, monroepd.org
• The Josephine-Louise Public Library of Walden, waldenlibrary.org

The WHOIS registrant contact for waldenlibrary.org at the time of writing is Patrick Mangan of Hudson Valley Computer Guys.

At about 10am on June 27^th, requests for backup restoration and malware scans were sent to the hosting provider GearHost by Patrick Mangan. GearHost restored a backup from June 26^th, though additional actions by Patrick Mangan were apparently necessary to return the site to working order.

At about 11am on June 27^th, Bonnie Becker of the New York State Association of Towns forwarded a warning from the New York State Intelligence Center and the Multi-State Information Sharing and Analysis Center about the DNN site compromises.

At some point, the town received an update notice for EasyDNNnews, which included a claim that they had previously purchased the module. It was unclear if the module was still in use, and if so, on what site(s).

A month later, on July 27^th, an exchange between Patrick Mangan and Mitchel Sellers of Iowa Computer Gurus details the compromise of waldenlibrary.org a few days prior, apparently leveraging the installation wizard files, and having footer text on the site contain a malicious redirect. Patrick Mangan claimed to have deleted the install wizard files after the compromise occurred, and hoped to discuss securing the town sites a bit by phone.

The topic of securing the town sites was discussed further on July 28^th, a phone call was scheduled for August 1^st at 9am, and may have taken place after 9:15am.

At some point, Mitchel Sellers was granted a superuser account on various sites.

On August 3^rd, the patches for Telerik and DNN GO were applied. Over the following two days, there was some discussion about attempting to upgrade DNN to 9.1.1.

The Rhode Island Department of Education had contracted with Envision Technology Advisors, LLC with respect to "Web Site Accessibility, Functionality and Sustainability".

Ed Giroux, the Director of RIDE's Office of Network and Information Systems discussed the site being compromised at 6pm on June 26^th. Kurt Huhn of the Rhode Island Division of Information Technology sent a copy of a message from the Multi-State Information Sharing and Analysis Center, which discussed the site compromises, and the vulnerable Mandeeps and EasyDNN modules.

The morning of June 27^th, there was some speculation that CVE-2015-2794 or another issue affecting the installation wizard files (such as the later bug speculated by Ars Technica) may have been to blame, but supposedly Envision had addressed those issues in June 2016.

An upgrade to DNN 9 was scheduled for 1:30pm on June 27^th. Users were told the site would be locked at 10:30am.

The evening of June 28^th, Envision shared part of a security advisory they received in which it was suggested that multiple files related to Mandeeps modules be deleted. Envision added that it was "likely" this was related to the site compromise. The deletion happened by late morning June 29^th.