The campaign website of a controversial US politician was hacked last year in May and is still hosting Russian SEO spam, according to several sources.
Because of Rep. Nunes' role in investigating President Trump's ties to Russia, this incident is currently a hot topic on social media, with some users twisting existing facts into a FUD topic of "Nunes has been compromised by Russia."
The incident was first spotted by a Twitter user with the username @3L3V3NTH, who called to attention that one of the Devin Nunes campaign site domains —devinnunes.net— was returning Russian spam in Google search results.
U.S. Representative Devin Nunes who was supposed to recuse himself from Russia investigation has cyrillic XML files live on his webspace pic.twitter.com/D43qveDPmf— ΞLΞVΞNTH (@3L3V3NTH) May 19, 2017
The incident also caught the eye of Eric JN Ellason, the CEO of US web design firm SlickRockWeb, who analyzed the infection and reported the event to the Nunes campaign.
Ellason says the source of the infection was a WordPress site that was moved into the server's /temp/ folder and abandoned without updates for months.
In all likelihood, attackers scanned the web for unsecured WordPress installs, found the outdated site, and leveraged exploits to compromise the site and leave behind SEO spam meant to boost the reputation of other sites. This is a common attack technique among cyber-criminals and WordPress sites are often targeted and the cannon fodder of such attacks [1, 2, 3].
The WordPress installation left for dead in the server's /temp/ folder —separate from the actual devinnunes.net website— was a likely target because it was running WordPress 4.5.2, when at the time, the most current WordPress release was 4.5.9.
In addition, the site was also using multiple outdated plugins, such as:
The site was also using the RevSlider plugin, the same plugin that many experts believe is the point of entry that hackers used to break into the infrastructure of Mossack Fonseca, the law firm behind the infamous Panama Papers leaks that exposed the financials of many of the world's elites. Unlike Mossack Fonseca, the Nunes WordPress installation was running a newer version of the plugin, version 4.6.93.
According to Ellason, accessing the Russian-themed pages hosted on this WordPress installation would redirect users to other domains. In most cases, the redirection was handled via three other domains, working as intermediary points.
The three domains are traffka-mix.com, tdskakts.com, and js-cloudbox.com. Of these, the second is the most interesting. This domain was registered by Jurijs Martisevs, a Latvian citizen recently arrested by the US and charged with running a malware scanner service, also known as a FUD scanner, very popular with various malware authors.
According to Ellason, while the Nunes team did not respond to his report, "the issue was quickly fixed later that day."
Ellason says the Nunes team redirected the devinnunes.net website to the devinnunes.com domain, and also appears to have removed the abandoned WordPress installation from the server's /temp/ folder, effectively removing and putting an end to the SEO spam pages.
In reality, this did not happen. According to tests carried out today by Bleeping Computer, the SEO spam pages are still available on the devinnunes.net domain, and the service is still compromised at the time of writing. Take for example this link from Ellason's analysis, which is pictured below.
While the abandoned WordPress install appears to have been removed, the indexed pages are removed from Google, and the home page of the devinnunes.net now redirects to devinnunes.com, the SEO spam is still on the server. This is because SEO spam and the inherent web shells that power them are notoriously difficult to remove, often respawning over and over again until servers are cleaned by professionals or wiped and reinstalled from scratch.
Furthermore, there are those who state that one of the files that is still present on the devinnunes.net site is a a information-stealing Trojan.
This particular type of virus is especially frightening and dangerous. It is built to steal information from anyone whose computer is infected by it.— MikeFarb (@mikefarb1) January 28, 2018
This script is not an information stealing Trojan and cannot infect a visitor. Instead, this ASP script is used by the hackers to submit code that get's executed on the server. This allows the hacker to execute commands remotely or open up a remote web shell for full access to the site. This is further explained here.
But a mystery remains. It is unclear what or if any sensitive information is also stored on that server, and if the hackers have accessed or carried out any other operations on that particular machine.
"Only Rep. Nunes’s office can say how severe this security breach was," Ellason says. "Because Rep. Nunes is chairman of the House Intelligence committee, he would be considered a high-value target."
Despite the ongoing SEO spam infection, all available evidence suggests Rep. Nunes was just the victim of webmaster forgetfulness and basic SEO spam.
To clear things up, Bleeping Computer has reached out to Rep. Nunes team with a few questions regarding the incident, but we have not heard back in time for this article's publication.
Update 2/4/18 11:05 AM: The article was updated to include more information on the ASP script located on the devinnunes.net site.
Additional reporting by Lawrence Abrams.