The official website of Ohio Governor John Kasich and the site of Ohio First Lady Karen Kasich were defaced on June 25 by a group calling itself Team System DZ. The group is a known pro-Islamic State “hacktivist” group that has repeatedly had its social media accounts suspended for posting IS propaganda videos and other activity. Kasich’s site was but one of a number of state and local government websites that were hijacked by Team System DZ early this week, all of which had one thing in common: they were running on an outdated version of the DotNetNuke (DNN) content management platform.
DNN Platform is a popular content management system (particularly with state and local governments) based on Windows Server and the ASP.NET framework for Microsoft Internet Information Server. DNN Platform is open source and available for free—making it attractive to government agencies looking for something low cost that fits into their existing Windows Server-heavy organizations. A review of the HTML source of each of the sites attacked by Team System DZ showed that they were running a vulnerable version of the content management system DNN Platform—version 7.0, which was released in 2015.
A critical security update issued by DNN in May of 2016 warned that an attacker could exploit vulnerabilities to create new “superuser” accounts through the content management system, giving them unfettered remote access to modify websites. DNN urged customers to upgrade to the latest version of the software at the time. A May 2015 alert also warned that an attacker could use the software’s Installation Wizard page for some server configurations to create new user accounts on the Windows Server host.