Important Security Announcement for Moodle and Totara Users.

Catalyst IT are aware of the world-wide credential stuffing campaign against Moodle sites. Our team have detected this early and have put all possible measures in place immediately.

If you are a Moodle or Totara user, whether a Catalyst client or not, this requires your urgent attention. Please read the below.

What happened?

Over the last few days, there has been an ongoing security event outside of our control that is leveraging leaked user credentials on Moodle sites. There has been a large number of authentication attempts to Moodle administration pages across the globe – both, self hosted and partner hosted.

These attempts are likely coming from a malicious botnet, using a large database of credentials to test if they have been reused on Moodle admin accounts.

This is not an unusual malicious activity but the volume has been noticeably greater than usual, posing an increased risk to Moodle customers.

Is it a Moodle vulnerability?

This is not a Moodle / Moodle code or partner system vulnerability.

Instead, this is a large scale attempt to access Moodle sites globally using external information breaches; or a collection of user passwords that have been reused on multiple platforms, including Moodle admin sites.

Why / how it happened?

Any passwords that are being reused on multiple sites are subject to this kind of vulnerability. Any password leaked in a data breach puts other systems at risk if the same password is being used on those systems.

The specific data set that is expected to be behind this subsequent set of attempted exploits is explained here: https://www.troyhunt.com/processing-23-billion-rows-of-alien-txtbase-stealer-logs/

What Moodle sites were affected?

This is a world-wide malicious exercise against Moodle sites. All Moodle clients should take measures to protect themselves immediately.

If you are a Catalyst client, and your site had been affected – i.e. if it was observed that someone attempted to access your Moodle or Totara site using exploited credentials – Catalyst are already aware of this and have put in place all possible measures.

Our team have contacted or are in the process of contacting all affected users to notify them of the measures taken and the next steps, and are continuing to monitor the situation.

Please note:

None of the the underlying services / platforms Catalyst provide have been compromised. While some of our client sites have been authenticated with compromised passwords, there is no evidence that that access was escalated any further. Most common Moodle attacks we have seen have not yet been effective if your Moodle is hosted with us.

What measures have been taken by Catalyst to protect their clients?

Here is what Catalyst has in place and have implemented in response to this incident, to protect you:

Existing Web Application Firewalls

First and foremost, Catalyst infrastructure security protections include Web Application Firewall rules, which block malicious attempts and limit the ability to install any plugins on client sites directly. This means our clients are protected from any further escalation of the situation.

Passwords have been reset

Catalyst had reset passwords for all affected users.

Password Validator Plugin on Catalyst client sites

Catalyst team had enabled Moodle Password Validator plugin on all client sites. This will force users to change their passwords if they appear compromised.

More information can be found here: https://moodle.org/plugins/tool_passwordvalidator

Multi-factor Authentication (MFA) for all Moodle site administrators

While many of our clients are already using MFA (since it’s now available in Moodle core in more recent Moodle versions), we are enforcing the manual MFA application for everyone else.

What I (Moodle / Totara user) need to do next?

Whether your Moodle (or Totara) site have been affected or not, we strongly recommend that all your administrator accounts have MFA enabled. Here is how to do it:

The below steps assume you’ve not already enabled MFA or changed any of the default settings.

Login as the site administrator and navigate to: https://your.site/admin/category.php?category=toolmfafolder
At the top, Under ‘Under multi-factor authentication’, ensure the Factors below are enabled using the icon, one at a time as it will reload after each click
- Authentication type
- Authenticator app
- Role
- Security key
- Grace period
Scroll down to ‘General MFA settings’ and tick the option ‘MFA plugin enabled’
Scroll down to ‘Grace period’ settings, tick the option ‘Force factor setup’, and set the grace period to 1 ‘hour’
Scroll down to ‘Role’ settings and check that the only ‘non-passing roles’ is ‘Administrator’
Scroll down to ‘Authentication type’ and select any authentication types with already do MFA at the IdP level, including ‘Catadmin Authentication’. Typically examples are saml2, oidc & oauth2. Do NOT tick any which use a password such as ‘manual’ and ’email’
IMPORTANT: Check the settings above, with Authenticator app and Grace period settings being critical
Scroll down to the bottom and click ‘Save changes’

As configured above, the grace period above can even be reduced to 1 second; and with the grace period’s ‘Force factor setup’ setting + the ‘Authenticator app’ factor enabled, users will be redirected to setup the MFA factor.

Catalyst strongly recommend Security keys over the TOTP-based Authenticator apps as the preferred method of MFA, but we understand that Authenticator apps are more widely known. The Moodle Security key factor is compatible with physical/USB keys such as Yubikey devices, and integrate with native security key options on mobiles such as Face ID and Touch ID.

To set up MFA using the Authenticator app for your account:

Go to the user menu (top right corner) > Preferences then choose Multi-factor authentication Preferences, or navigate to: https://your.site/admin/tool/mfa/user_preferences.php
Click ‘Setup’
Fill in the ‘Device name’ field with something relevant to you
Scan the QR code with your authenticator app (e.g. Google Authenticator)
Enter the validation code the apps generates into the ‘Enter the verification code’ text box and save changes
Confirm the Authenticator app shows your Device name and is shown as “Active”
Logout and log back in. It will now ask for the current code provided by your authenticator app

Please note:

The MFA change should be done in the UAT / Staging instance first to ensure it doesn’t cause issues for non-administrative users.

If you are unsure on the above steps, please reach out to your Catalyst Account Manager for help.

You should also consider your wider systems and services across your full tech stack.

Client communications and ongoing monitoring

Catalyst has contacted or are in the process of contacting all affected clients to notify them of the situation and the measures taken by us. The actions required from the client side have also been outlined.

It’s important to note, that leaked credentials can be exploited further and the scale and severity of this data breach is still significant.

Please do not ignore any communications about this incident or the actions required.

While 100% certainty in such situation is difficult, be assured that Catalyst are continuing to monitor our systems and services we provide with utmost effort.

Reach out to your Catalyst Account Manager if you have any further questions or concerns.

Contact our team

Catalyst IT are ISO 27001 certified.