Hacker Attack

CaeruleusAqua

Hello everyone,

Today we received an email stating that someone was able to log into our server and apparently also take over accounts in the Cloudron API.

The email came from https://secureforge.io/ and looked legitimate at first glance, but upon closer inspection, you can see that the site is fake.

I was able to see in the logs that users had logged into various email accounts and that our website had been deleted from the “Surfer App.”

Almost all accounts have two-factor authentication. However, my account was also visible in the logs, and it definitely has two-factor authentication enabled.

I have now taken the server completely offline for the time being.

I am asking for help here on how to solve the problem.

james

Hello @CaeruleusAqua
Thanks for reporting.

This could be connected to https://forum.cloudron.io/topic/14255/email-spoofing-issue perhaps or maybe not.

@CaeruleusAqua said in Hacker Attack:

we received an email stating that someone was able to log into our server and apparently also take over accounts in the Cloudron API.

Can you provide this mail as a raw txt?

@CaeruleusAqua said in Hacker Attack:

I was able to see in the logs that users had logged into various email accounts and that our website had been deleted from the “Surfer App.”

If all accounts are affected I can only assume there is root level access to the server itself or that User 0 web session was stolen.
With the cloudron-support tool as root, one can log in as the User 0 the first created user and circumvent any 2fa checks.
And as User 0 any other user can be impersonated with a temporary password.
Same with a stolen browser session for User 0. Without a login all other users can be impersonated skipping 2fa.

If possible a full disk image of that server would be great for security analysis.

---

What operating system are you using? Are you using User 0 as your main user?

CaeruleusAqua

Return-Path: <sean@secureforge.io>
Delivered-To: changedtosomething@softdata.com
Received: from mail.softdata.com ([127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mail.softdata.com with LMTPS
	id J0AtGAcguGi+EgAAhyJ/EA
	(envelope-from <sean@secureforge.io>)
	for <changedtosomething@softdata.com>; Wed, 03 Sep 2025 11:01:27 +0000
Received: (Haraka outbound); Wed, 03 Sep 2025 11:01:27 +0000
Authentication-Results: mail.softdata.com;
	spf=pass smtp.mailfrom=secureforge.io
Received-SPF: Pass (mail.softdata.com: domain of secureforge.io designates 2607:f8b0:4864:20::535 as permitted sender) receiver=mail.softdata.com; identity=mailfrom; client-ip=2607:f8b0:4864:20::535 helo=mail-pg1-x535.google.com; envelope-from=<sean@secureforge.io>
Received-SPF: None (mail.softdata.com: domain of mail-pg1-x535.google.com does not designate 2607:f8b0:4864:20::535 as permitted sender) receiver=mail.softdata.com; identity=helo; client-ip=2607:f8b0:4864:20::535 helo=mail-pg1-x535.google.com; envelope-from=<sean@secureforge.io>
X-Envelope-To: changedtosomething@softdata.com
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [2607:f8b0:4864:20::535])
	by mail.softdata.com (Haraka) with ESMTPS id F167E284-C87C-48F6-84E6-BB725B512079.1
	envelope-from <sean@secureforge.io>
	tls TLS_AES_256_GCM_SHA384;
	Wed, 03 Sep 2025 11:01:23 +0000
Received: by mail-pg1-x535.google.com with SMTP id 41be03b00d2f7-b49cf21320aso6824905a12.1
        for <changedtosomething@softdata.com>; Wed, 03 Sep 2025 04:01:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=secureforge.io; s=google; t=1756897279; x=1757502079; darn=softdata.com;
        h=to:subject:message-id:date:from:mime-version:references:in-reply-to
         :from:to:cc:subject:date:message-id:reply-to;
        bh=gCCeFn2TSijhXXXnfhXDF9SsCOo5SiSyBBS7VOg+UdQ=;
        b=KKvsRpdQUDOhxikSSfhvOPPJSQ81ZWfzrpywFtrDGHi1+YKcaah5QECKKdjnNkA3Of
         Dr5f6S02lRcM/ufRIcbzm8vZZA5U647VeRvC+WQ9Pwwn6t9zgXZAAJ6DzJOrYfAL0UEv
         NsORzeW9whYvCCzRTDitY48//qdNcWyQ+cXfJubQY/qhy8bBmlhFIclHDXKONbNb2/LL
         G5hVSMROT+4jIcN7vQxYkY5KfSN8hjxoiACPM9nYrBCICxYH+Lx1f0Ut8FgWM9AFhQjU
         33xruBEXHszQi67DHgtchbdMef6rUC7lWkxm2ciEfTWHVIhhbjQhLTkkajIszA459k+T
         g9Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756897279; x=1757502079;
        h=to:subject:message-id:date:from:mime-version:references:in-reply-to
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=gCCeFn2TSijhXXXnfhXDF9SsCOo5SiSyBBS7VOg+UdQ=;
        b=hERQ0lcyKZwZyTNOu6D8XR6M3U7sszJqa+alvVOfqiG4OEaSWVUlBSSq9Jd/RUsXWw
         lgzE9WlyLgk+IBXekVxvykR+FlHyQrOHRIO8iqZ0xKAwtk+LzPrX8r8h0yvUFSR4Fje9
         R4BdPfNEeSWbZxG3eHQYaYDaXgRTLgzB1H5MxQqgtF0ZHvMQTeTBpA6/AVnP1RtGz4iv
         ryPRYpp8KuwCEyYY8aEbv1UuGndfX/+bsEpLxwA2Vk63qOPowHKZF23LXBh0/O66RMYN
         RpHba58G0FEIiM1AdW3cfWguTsQhy+VPH+mFeG42K25z2ePALU96OS3f/ugEzmFvFaN+
         2UsQ==
X-Gm-Message-State: AOJu0Yxq4mMqhkDAG8ecs6wG3fSdEI5X3BmkgoXm32xCSx5GRTfUC3N6
	TSZpVdept9RVJS2n62db5x26QCMnV6KubmpTUGpwu3e2cf2I5XsrNNoxN8lqwtyBszU5PdsSCt6
	BIFYTJbRqUJeATa96DQVsBFDivQWrp0MY4SJBu+DOSUuXpBO5PYYitpo=
X-Gm-Gg: ASbGncsi/munX5KOTa6BU3UNmdhaK2ZekTcXafj3nMcOUUNtB/5YE1ba8omaW4hhHKf
	467Yb7eIG0b0AX0+J4klJYXjcMxcplzFhX9X9sXBKwgyoEdlPjtu9G/wMl4V9tBabKlNsT5Agef
	8N/ysfwsnTNUcru9BS24kqGAH8OfnQ80FtBIeYiF7KgeLuTXFELudn1ZuaY62x2ByGMZ73XP5rR
	VEfr2EvFVZGBheOjtOzocfEnkCr1rFXCGs4
X-Google-Smtp-Source: AGHT+IE2uTk2zt//sQSgg1yt7S12v3oOUESatehax8RSykQAxopFTCKEdVQxZ+mn+2nu+9cojVBfKgxI5Q5hc2bqQq4=
X-Received: by 2002:a17:90b:48c3:b0:327:7334:403d with SMTP id
 98e67ed59e1d1-328156de6b3mr21560976a91.26.1756897278858; Wed, 03 Sep 2025
 04:01:18 -0700 (PDT)
Received: from 498586711441 named unknown by gmailapi.google.com with
 HTTPREST; Wed, 3 Sep 2025 11:01:18 +0000
Received: from 498586711441 named unknown by gmailapi.google.com with
 HTTPREST; Wed, 3 Sep 2025 11:01:18 +0000
In-Reply-To: <016601dc1cc1$5563ec30$002bc490$@softdata.com>
References: <016601dc1cc1$5563ec30$002bc490$@softdata.com>
MIME-Version: 1.0
From: sean@secureforge.io
Date: Wed, 3 Sep 2025 11:01:18 +0000
X-Gm-Features: Ac12FXxry76BDyT7JH0lL-ZT5F7SYF2lZsBkK-9Kuq_zjvMGxRrg8G6Pp9gtzjU
Message-ID: <CAAEQtJ7MYqVjcB2NN659eYXiPnTH9dFKWCDKNYLvd6jvnRCmcQ@mail.gmail.com>
Subject: AW: Full account takeover on byteRobotics API
To: changedtosomething@softdata.com
Content-Type: multipart/alternative; boundary="00000000000036a82d063de38655"
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on b29685ce0917
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=4.0.0
X-Spam-Report: 
	* -0.0 SPF_PASS SPF: sender matches SPF record
	*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
	*       domain
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	*      envelope-from domain
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*      valid
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no
	*      trust
	*      [2607:f8b0:4864:20:0:0:0:535 listed in]
	[list.dnswl.org]

CaeruleusAqua

Sorry Wrong Mail:

Return-Path: <010001990f0e42e0-62660a78-1ce2-4634-8ffc-9bf6a8298fcc-000000@amazonses.com>
Delivered-To: changedtosomething@softdata.com
Received: from mail.softdata.com ([127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mail.softdata.com with LMTPS
	id ADgZHQ8UuGjJEAAAhyJ/EA
	(envelope-from <010001990f0e42e0-62660a78-1ce2-4634-8ffc-9bf6a8298fcc-000000@amazonses.com>)
	for <changedtosomething@softdata.com>; Wed, 03 Sep 2025 10:10:23 +0000
Received: (Haraka outbound); Wed, 03 Sep 2025 10:10:23 +0000
Authentication-Results: mail.softdata.com;
	spf=pass smtp.mailfrom=amazonses.com
Received-SPF: Pass (mail.softdata.com: domain of amazonses.com designates 54.240.48.99 as permitted sender) receiver=mail.softdata.com; identity=mailfrom; client-ip=54.240.48.99 helo=a48-99.smtp-out.amazonses.com; envelope-from=<010001990f0e42e0-62660a78-1ce2-4634-8ffc-9bf6a8298fcc-000000@amazonses.com>
Received-SPF: None (mail.softdata.com: domain of a48-99.smtp-out.amazonses.com does not designate 54.240.48.99 as permitted sender) receiver=mail.softdata.com; identity=helo; client-ip=54.240.48.99 helo=a48-99.smtp-out.amazonses.com; envelope-from=<010001990f0e42e0-62660a78-1ce2-4634-8ffc-9bf6a8298fcc-000000@amazonses.com>
X-Envelope-To: changedtosomething@softdata.com
Received: from a48-99.smtp-out.amazonses.com (a48-99.smtp-out.amazonses.com [54.240.48.99])
	by mail.softdata.com (Haraka) with ESMTPS id 18F6A514-7F45-48C1-A61F-FC6CF89B4ED4.1
	envelope-from <010001990f0e42e0-62660a78-1ce2-4634-8ffc-9bf6a8298fcc-000000@amazonses.com>
	tls TLS_AES_256_GCM_SHA384;
	Wed, 03 Sep 2025 10:10:19 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=u5yoimczihtcw4zjts7o5kzmsmlfq6au; d=secureforge.io; t=1756894217;
	h=Content-Type:MIME-Version:From:To:Subject:Date:Message-ID:Reply-To;
	bh=i4RKBlI36Eh1jCg4OHgr2zEj3kldd0g0/rwYs6Frg20=;
	b=iuImrBoooXebgjTBsMNc21l8o1y3yxscEEhAJsu+o3HfmLN/DCGXfE3CjOkfxVEO
	D+ux2sgcNSyVVhskA0TXV7gmWGVpXtS1BQZEMR1KyXTZb68RT+oVcEROZ1iHTtxKnHy
	yPYNAS0NwSTcIM/7w+YLa7SJkzx3KJipChg7+6XI5saT/FyyUdzHOgxqMG4CA5jThAp
	Heas82IFkuDr3laFZhPiX/rDJCMWv0XkUJohBLc/8pCsjZlE2HNwrDlpxyGnSYlVK5D
	r1fTR4ScHjU5eJsbIMBMpxuukinwSWKYSvsFDLxTqcaqAnWA4aBqB9SA3pc5YVJAEBO
	HsBPS+1l5Q==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1756894217;
	h=Content-Type:MIME-Version:From:To:Subject:Date:Message-ID:Reply-To:Feedback-ID;
	bh=i4RKBlI36Eh1jCg4OHgr2zEj3kldd0g0/rwYs6Frg20=;
	b=DNOPGmBqjUGeq2/2caQDulWjgRsT7BSV7HbOXeQjVUqrN+w58x1XpYY8Jbpk25yw
	DTzSypnFOyL+tdowBA51KPtTMN0CJ6XTE3Qh3roIaAsNL/TvlDfJ9NhLFPZ5xnM9gQY
	G47vGUpVNbGHnv21NdPHHDs5mIyWY0ln9iZjySIg=
Content-Type: multipart/alternative; boundary="===============6338578617582795644=="
MIME-Version: 1.0
From: Sean Whitaker <sean@secureforge.io>
To: changedtosomething@softdata.com
Subject: Full account takeover on byteRobotics API
Date: Wed, 3 Sep 2025 10:10:16 +0000
Message-ID: <010001990f0e42e0-62660a78-1ce2-4634-8ffc-9bf6a8298fcc-000000@email.amazonses.com>
Reply-To: sean@secureforge.io
Feedback-ID: ::1.us-east-1.39BSdkv6G4z3E8aSaLuVz+9W8p+wYTmQZCv5YQp0+aw=:AmazonSES
X-SES-Outgoing: 2025.09.03-54.240.48.99
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on b29685ce0917
X-Spam-Status: No, score=0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Report: 
	* -0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4)
	*      [54.240.48.99 listed in wl.mailspike.net]
	* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no
	*      trust
	*      [54.240.48.99 listed in list.dnswl.org]
	* -0.0 SPF_PASS SPF: sender matches SPF record
	*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
	*       domain
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	*      envelope-from domain
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*      valid
	* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
	*  1.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
	*      domains are different
	*  0.0 HTML_MESSAGE BODY: HTML included in message

CaeruleusAqua

I can't do much more right now. I have reported the whole thing to the insurance company and their service provider is now investigating it.