Below are questions and answers about the malicious attack on the Release 4 Validation Tool, which was the free tool which allowed publishers and libraries to test and validate COUNTER Release 4 usage reports.
On 15 July a user of the Release 4 Validation Tool alerted us to a problem. The company which hosted the tool for us checked it and reported that there was a crypto miner being served in the code. It was reasonable safe to assume at this point that the website had been compromised. We then suspended the website.
On 25 July, one of our volunteer Technical Advisory Group members was able to investigate a copy of the R4 Validation Tool from the server. He found that hackers compromised the tool, through a vulnerability in an outdated PHPUnit version (CVE-2017-9841). The hackers were able to execute any PHP code and therefore had full access to the application (all files and the database) and the reports validated. We were unable to determine whether the hackers had copied user data or the reports.
The goal of this kind of attack usually is to spread malware (in this case a crypto miner) and to collect user information for further attacks. We therefore have to assume that the user database of the R4 Validation Tool with the information entered or created during the registration and login has been disclosed:
A secure hash algorithm (bcrypt) was used to protect the passwords, nevertheless the hackers might be able to determine some of the passwords, especially if common or weak passwords were used.
We also cannot exclude that data included in the reports validated with the R4 Validation Tool has been disclosed.
Change your passwords: If you use the same or a similar password as for the R4 Validation Tool for other websites or online accounts, you should change those passwords immediately.
Be aware of scams: Hackers may use stolen names and email addresses for sending phishing emails. These are attempts to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers. Hackers may also try to trick you into installing malware, either included in an email attachment or served from a website, on your computer. There is some useful advice available from this website:
For security reasons the R4 Validation Tool software shouldn’t be used any more. Therefore, we will either remove or restrict access to the repository with the R4 Validation Tool software on the Project-Counter GitHub account. We will also remove the early development version of the R5 Validation Tool that is currently available on the Project-Counter GitHub account. Please note that the R5 Validation Tool preview uses a different version of the software that has been cleaned up and contains a lot of improvements and fixes.
This new the tool has been developed and will be deployed with security in mind. The COUNTER Board will also be considering the cause of the Release 4 Tool breach and reviewing our procedures to identify where improvements can be made.