Full Report
The National Federation of Subpostmasters (NFSP) was hit by a ransomware attack after a bug was exploited in its web hosting provider’s software. The attack is still causing technical problems, with emails between the Post Office and the NFSP “paused”, said the Post Office. On 30 April, days after a bug in software from web hosting company cPanel was discovered and exploited by hackers, the NFSP was targeted. The affected software, the cPanel web‑based hosting control panel, is used to manage servers and websites. In April, the provider released a security advisory to address a critical vulnerability affecting its software.
Analysis Summary
# Incident Report: Ransomware Attack via cPanel Vulnerability
## Executive Summary
The National Federation of Subpostmasters (NFSP) suffered a ransomware attack resulting from the exploitation of a critical vulnerability in its web hosting provider’s software (cPanel). The attack led to the encryption of website files and necessitated the suspension of digital communications between the NFSP and the Post Office. While file encryption occurred and ransom demands were made, the NFSP reports that no data was lost or exfiltrated.
## Incident Details
- **Discovery Date:** Approximately May 22, 2024 (Communicated to subpostmasters)
- **Incident Date:** April 30, 2024
- **Affected Organization:** National Federation of Subpostmasters (NFSP)
- **Sector:** Non-Profit / Postal Affairs
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** April 30, 2024
- **Vector:** Exploitation of a critical vulnerability in cPanel hosting software.
- **Details:** Hackers leveraged a recently discovered "bug" in the cPanel web-based hosting control panel, which had been the subject of a security advisory earlier in April.
### Lateral Movement
- **Details:** Specific details on lateral movement within the NFSP network were not disclosed, though the attack successfully moved from the hosting software to the website file structure.
### Data Exfiltration/Impact
- **Details:** Attackers encrypted website files and issued a ransom demand. The NFSP CEO stated that while files were locked, no data loss or exfiltrated sensitive information has been identified to date.
### Detection & Response
- **How it was discovered:** Likely identified when website services failed or ransom notes were discovered on the server.
- **Response actions taken:** The NFSP reported the breach to the Information Commissioner’s Office (ICO). The Post Office "paused" all inbound and outbound email traffic with the nfsp[.]org[.]uk domain to prevent potential cross-contamination.
## Attack Methodology
- **Initial Access:** Exploitation of a Publicly Disclosed Vulnerability (cPanel software).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Likely achieved via the cPanel exploit to gain file system access.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Scanning for unpatched cPanel instances.
- **Lateral Movement:** Not disclosed.
- **Collection:** Targeting website files for encryption.
- **Exfiltration:** None reported.
- **Impact:** Ransomware (Data Encryption and Resource Hijacking).
## Impact Assessment
- **Financial:** Unknown (Ransom demands made but payment status not disclosed).
- **Data Breach:** Reported as zero data loss or theft; however, website files were compromised.
- **Operational:** Significant disruption. Email communications between the Post Office and NFSP were suspended for over a month (April 30 through June 2).
- **Reputational:** Public disclosure of the incident via Computer Weekly and internal warnings to subpostmasters.
## Indicators of Compromise
- **Network indicators:** Activity involving the domain nfsp[.]org[.]uk (Flagged as untrusted during the incident).
- **File indicators:** Encrypted files on the web hosting server (Specific extensions not disclosed).
- **Behavioral indicators:** Unauthorized modification of website files following the exploitation of cPanel.
## Response Actions
- **Containment measures:** Isolation of the NFSP email domain by the Post Office; suspension of integrations between the two organizations.
- **Eradication steps:** Involvement of IT teams to "get to the bottom" of the hosting provider's software failure.
- **Recovery actions:** Reporting to the ICO and ongoing investigation by NFSP IT teams.
## Lessons Learned
- **Key takeaways:** Vulnerabilities in third-party management software (like cPanel) can provide a direct gateway for ransomware, bypassing the target organization's internal perimeters.
- **Critical Failure:** Delay in patching known critical vulnerabilities in web hosting software following a vendor advisory.
## Recommendations
- **Patch Management:** Ensure that critical security advisories for web hosting software (cPanel, Plesk, etc.) are acted upon within 24–48 hours.
- **Vendor Risk Management:** Audit third-party hosting providers to ensure they maintain rigorous security standards and rapid patching cycles.
- **Communication Redundancy:** Establish secure, pre-verified alternative communication channels (e.g., encrypted messaging or dedicated portals) for use when primary email domains are compromised.