Kenyan Government Websites Hacked/Defaced 2019: A Hypothesis On How The Hack Occurred

A superficial look into the hacking event that occurred on 1st June 2019 where at least 18 government (GOK) owned and operated websites were breached and defaced reveals the level of negligence that floods the Kenya ICT industry.

By: DigiHut Systems | Published: Tuesday 23rd of July 2019

Read more...

Kenyan Government Websites Hacked/Defaced 2019: A Hypothesis On How The Hack Occurred

The Kenyan government has been riddled with cases of corruption in every sector. The same corruption leads to the hiring of incompetent individuals to perform tasks that are critical to government services. According to a survey conducted by the EACC, bribery, favoritism, nepotism, and embezzlement of funds remain the most prevalent form of corruption in Kenya. The same happened in this case.

Our Hypothesis on How the attack Occured

A survey conducted by the Ethics and Anti-Corruption Commission (EACC) in 2016 shows that procurement, finance, public service boards, road, and public works are among the top departments prone to corruption. Procurement of IT services is also conducted in a similar manner where one has to part with a 'kakitu' or know someone very prominent to be awarded a tender. Like all most hustlers in Kenya, most individuals who purport to be IT experts in this country are merely self-taught web designers/ poorly trained ICT individuals from unequipped local colleges. For the most part, they know little or nothing regarding cybersecurity as it applied to web servers and web applications.

A superficial look into the hacking event that occurred on 1st June 2019 where at least 18 government (GOK) owned and operated websites were breached and defaced reveals the level of negligence that floods the Kenya ICT industry.

I started my investigation on Tue June 4th at 21:28:14 on behalf of DigiHut Systems from the domain www.nys.go.ke (belonging to the National Youth Service) which a quick name server lookup reveals it resolved to the IP 41.204.161.190. 

		
			Server:		8.8.8.8
			Address:	8.8.8.8#53

			Non-authoritative answer:
			Name:	www.nys.go.ke
			Address: 41.204.161.190

Further enumeration of the host reveals that the main authors registered on the Site are Matayo Odongo who's liked in profile shows he works at GOK-Kenya as an Information and Communication Technology Officer (ICTO) and Caroline Jomo who's LinkedIn profile indicates works as an ICTO at the Ministry of Regional Development Authorities (MORDA).

		[!] 2 users exposed via API: http://www.nys.go.ke/wp-json/wp/v2/users
		+----+---------------+-------------------------------------------+
		| ID | Name          | URL                                       |
		+----+---------------+-------------------------------------------+
		| 3  | matayo odongo | http://www.nys.go.ke/author/matayo_admin/ |
		| 4  | caroline jomo | http://www.nys.go.ke/author/nys_caroline/ |
		+----+---------------+-------------------------------------------+

Opening the IP resolves to the National Government Affirmative Action Fund website whose URL is (ngaaf.go.ke).

now a quick nmap enumeration of potential server folders reveals something interesting... the server is misconfigured. It serves two different websites based on the port used to access it.

port 80 (http) -> serves the ngaaf.go.ke which is a Joomla based.

port 443 (https) -> redirects to the defaced version of the National Development Implementation and technical Communication department (NDITC) which is supposed to be a subdomain of the ICT Authority (ict.go.ke) served at https://nditc.ict.go.ke. which is built on WordPress...

 
	| => nmap -sV --script=http-enum 41.204.161.190
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-04 21:30 EAT
Nmap scan report for 41.204.161.190
Host is up (0.070s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd (PHP 7.0.32)
| http-enum: 
|   /administrator/: Possible admin folder
|   /administrator/index.php: Possible admin folder
|   /logs/: Logs
|   /robots.txt: Robots file
|   /administrator/manifests/files/joomla.xml: Joomla version 3.8.1
|   /language/en-GB/en-GB.xml: Joomla version 3.8.1
|   /htaccess.txt: Joomla!
|   /README.txt: Interesting, a readme.
|   /bin/: Potentially interesting folder
|   /cache/: Potentially interesting folder
|   /images/: Potentially interesting folder
|   /includes/: Potentially interesting folder
|   /libraries/: Potentially interesting folder
|   /modules/: Potentially interesting folder
|   /templates/: Potentially interesting folder
|_  /tmp/: Potentially interesting folder
|_http-server-header: Apache
443/tcp open  ssl/http Apache httpd (PHP 7.0.32)
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2 
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache

Nmap done: 1 IP address (1 host up) scanned in 515.72 seconds

Now I wanted to quit here seeing that the WordPress version in use is version 2.7 at best because that is just plain negligence... but then again it could be that the so-called hackers managed to upload a custom-made website instead of defacing the original website... I mean that what I would do... Who has time to modify themes...

To continue I did I quick google search of the parent IP... seeing that the ICT Authority decided to economize and use a single misconfigured server with a single IP to server multiple websites... and I bet there was little isolation of the websites and when one was pwned all were pwned. That's my first hypothesis so far at least... the question is which vulnerability did they exploit...

So I continued the analysis...

I googled the IP...

Now, this was just unbelievable...

ifmis.go.ke was hosted on the same server...

other websites were also hosted on the same server as shown below


Now a complete reverse look of the subnet reveals even more interesting results as attached in the file below...

Now for the kicker...

I'll let everyone have some fun first just google 41.204.161.190:80 or visit my Results and explore...

for those who don't understand the results...

There was an upsurge of malware analysis conducted on URLs, and documents hosted on the web server; Most of them malicious.

The first appearance of the searches dates back to April 13, 2019. So the server was most likely compromised during this period.

The scans may be from two parties.

  1. the Hackers trying to check if their hacks were detectable of fully undetectable (FUD) as evident from the malware scans.
  2. Cybersecurity analysts after the incident occurred.

Now the later seems more viable given that owning an account on one of these online malware analysis services can set you back Kshs. 600,000 a year. Reported incidents are from  @Spamhaus an International Threat Intelligence Organization providing highly-trusted real-time actionable data on spam, phishing, botnets and malware sources., @Cryptolaemus1 a malware/bug hunter.

That's it... my first hypothesis has been confirmed...

I didn't even take an hour...

The attack could not have been targeted hence I will only present one scenario that describes how they got access, how they leveraged the server and why they defaced the websites.

SCENARIO 1: NULLED SCRIPTS (Lucky script kiddie...)

No this is more probable and accounts as my 2nd hypothesis.

Since the majority of the websites are 'proudly' powered by WordPress, the attackers might not have necessarily targeted government websites but were merely lucky to land on top government websites running nulled/cracked but bugged versions of themes and plugins from popular file sharing websites such as wplocker.com. Which raises concerns regarding the competency of web developers hired by the GOK to build their websites. Now, this is a viable hypothesis given that I found at least four government and parastatal websites using nulled themes as shown below.

1. KEMSA website 
[+] Name: healthflex - v1.0.0
 |  Location: http://www.kemsa.co.ke/wp-content/themes/healthflex/
 |  Readme: http://www.kemsa.co.ke/wp-content/themes/healthflex/README.txt
 |  Changelog: http://www.kemsa.co.ke/wp-content/themes/healthflex/changelog.txt
[!] An error_log file has been found: http://www.kemsa.co.ke/wp-content/themes/healthflex/error_log
 |  Style URL: http://www.kemsa.co.ke/wp-content/themes/healthflex/style.css
 |  Theme Name: HealthFlex (shared on wplocker.com)
 |  Theme URI: http://plethorathemes.com/healthflex/
 |  Description: Multipurpose Medical WordPress Theme
 |  Author: Plethora Themes
 |  Author URI: http://plethorathemes.com
 |  License: GNU General Public License v2 or later
 |  License URI: http://www.gnu.org/licenses/gpl-2.0.html
 |  Tags: responsive-layout, theme-options, translation-ready
 2. Coffekenya.go.ke 
[!] Title: WordPress Slider Revolution Local File Disclosure
    Reference: https://wpvulndb.com/vulnerabilities/7540
    Reference: http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
    Reference: http://packetstormsecurity.com/files/129761/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579
    Reference: https://www.exploit-db.com/exploits/34511/
    Reference: https://www.exploit-db.com/exploits/36039/
[i] Fixed in: 4.1.5

[!] Title: WordPress Slider Revolution Shell Upload
    Reference: https://wpvulndb.com/vulnerabilities/7954
    Reference: https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/
    Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_revslider_upload_execute
    Reference: https://www.exploit-db.com/exploits/35385/
[i] Fixed in: 3.0.96

Since the scripts are nulled, one cannot get the latest versions of the themes/plugins hence leaving the server susceptible to hacking through publicly available exploits code (mostly Proof-of-Concept [POC] codes). For instance the Judicial Service Commision website (www.jsc.go.ke) revealed it uses outdated plugins.

[!] Title: LayerSlider 4.6.1 - Style Editing CSRF
    Reference: https://wpvulndb.com/vulnerabilities/7152
    Reference: http://packetstormsecurity.com/files/125637/
[i] Fixed in: 5.2.0

[!] Title: LayerSlider 4.6.1 - Remote Path Traversal File Access
    Reference: https://wpvulndb.com/vulnerabilities/7153
    Reference: http://packetstormsecurity.com/files/125637/
    Reference: https://secunia.com/advisories/57309/
[i] Fixed in: 5.2.0

[!] Title: LayerSlider <= 6.2.0 - CSRF / Authenticated Stored XSS & SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8822
    Reference: http://wphutte.com/layer-slider-6-1-6-csrf-to-xss-to-sqli-with-poc/
    Reference: https://support.kreaturamedia.com/docs/layersliderwp/documentation.html#release-log
[i] Fixed in: 6.2.1

[!] Title: Visual Composer <= 4.7.3 - Multiple Unspecified Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8208
    Reference: http://codecanyon.net/item/visual-composer-page-builder-for-wordpress/242431
    Reference: https://forums.envato.com/t/visual-composer-security-vulnerability-fix/10494/7
[i] Fixed in: 4.7.4

Results from the IFMIS websites are even more troubling... the website is outdated which means it is susceptible to multiple exploits.

[+] WordPress version 3.1.1 identified from stylesheets numbers
 | Released: 2011-04-04
 | Changelog: https://codex.wordpress.org/Version_3.1.1
[!] 38 vulnerabilities identified from the version number

[!] Title: WordPress 3.1 PCRE Library Remote DoS
[!] Title: WordPress 2.5 - 3.3.1 XSS in swfupload
[!] Title: WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning
[!] Title: WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues
[!] Title: WordPress <= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php
[!] Title: WordPress <= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass
[!] Title: WordPress <= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft
[!] Title: WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass
[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS) 
[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
[!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
[!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
[!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
[!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
[!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
[i] Fixed in: 4.7.1
[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
[!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
[!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
[!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
[!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
[!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
[!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
[!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
[!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
[!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion

Now at this point, I was sure I had understood how the attacker managed to pwn the server and why he defaced the websites and what his actual intent was.

He exploited a vulnerability in one of the WordPress websites allowing him to upload a PHP shell. Most probably a known and identifiable PHP shell based on its signature. It was probably created using weevely since I hardly doubt the attacker is capable of building his own shell script. Having had access to the server... the attacker uploaded a Microsoft Office document packed with malicious macros-based malware downloader which has been widely shared in the darknet and is also employed by the troublesome Emotet Banking Malware.

The bugged doc file that was used to deliver the malware was downloadable from http://jsc.go.ke/wp-content/uploads/1i65w-ouoocl-sekjr/ I have the actual file from the server in case someone needs it...

Now the attacker tries to trick the user into allowing macros in the document by placing a message that one must click "Enable Editing" and "Enable Content" before the document reveals the content. By so doing, a user activates macros which are disabled by default in MS Office due to their exploitable nature. On Enabling content, the document runs a PowerShell script that calls on the download URL (http://www.jsc.go.ke/wp-content/uploads/2019/05/fdbruyrd/up_3.048.exe) dropping a Malware on the user's PC and running it. 

Now like any other hacker out there... the main motivation for hacking is money. The downloader MS Office Document downloaded an executable from the compromised Judiciary website http://www.jsc.go.ke/wp-content/uploads/2019/05/fdbruyrd/up_3.048.exe











The Downloaded executable was probably the Emotet Banking Malware which sent back data from penetrated PCs back to http://jsc.go.ke/wp-content/uploads/AbnO-ncKCS534ju0479p_ZcrakfVb-Wnq/ as shown by the report below. 

The URL http://jsc.go.ke/wp-content/uploads/7_k/ was used as the command and control center for receiving and downloading commands allowing the download of more malware onto the user's PC. 




First seen Filename Payload (SHA256)
2019-04-27 H-185809302-04272019.zip 820069be5c2a0e524297553c96b55b58e1858e4239520f7106d99d72d99967be
2019-04-27 YQ-1317970-04272019.zip 5ca46b89aa0596dba59df9c631d3096247f0cc2b5daa570f64cbf474eff2ba53
2019-04-27 O-968883079-04272019.zip 4f38c78c1f006f3759c4c23cf4b7895733197bc51b81a9a6a638b0903a7c1b89
2019-04-27 TR-677229759-04272019.zip ff51f78c2935421df0629c134f37385b490069412047cafe363b5b12a065f272
2019-04-27 TN-146604-04272019.zip c8085a7f0595ee94b1a96482c05a84eed62ae58e696bc7016d94f73af867b85b
2019-04-27 P_978140_04272019.zip 55ab5e5298e6cbc1b333a84f0bdf855b76f879a29b0d8e098ecdde588b52baeb
2019-04-27 F-872353-04272019.zip c3a72df3c50f2278721e9d1b1f0adbc9e0bcec12e586a510eb076f7319d4c768
2019-04-27 R-256057599-04272019.zip 16d4662a15cffca403c32dece2a0b22e5f68f3a8215ecfa92efd0cc4f4a6d8ce
2019-04-27 X-24128532-04272019.zip a15c1bb84e207f7f72cc9c35c234902c44caf60f7dfc8a2677b74ec1e9942efa
2019-04-27 L_60164763_04272019.zip 3b36ace5b4029c3fbba9cc8061ff2c7acc8131bf756f7f2eb81634de18efddaf
2019-04-27 US-867426-04272019.zip b4f24969a471a548a4e658b8b4abfb7c0c1dfc324b00f3ac4b779f2b01620784
2019-04-27 J-0735355-04272019.zip 2b50d7d5dcf30ebbef59ffe83f1259cc265ccc066768ea82a9401c023ec63f44
2019-04-27 RB-7189069-04272019.zip b92da8b8b3c80b89a7c9926747bc8d563b9a7b14b70d72a25937cf605f32c589
2019-04-27 T-8922026-04272019.zip db3b20b4e89eca297b03aff9c79ac820f93bed10e9be45f0ecdc5a924304390d
2019-04-27 RK-010657-04272019.zip 8ba6aa3aa099d3f7fdfd53f865c7dc10bfcd09e265207f0e34a4448dd2d32851
2019-04-27 N-15555735-04272019.zip 7e5b4db89cfbddb2d784b916dd879a4604a6d16a7d4dd626fd0340117e04bfd7
2019-04-27 LI-922912672-04272019.zip 054cf228adbe433c3ca8769341a43ae6bb42048951fd4d7cd43c995d60969a01
2019-04-27 X-961472524-04272019.zip edb8ae5ae21559e8146b0037e42d63af84e2b7c2f48ff1940c2b4001ba2ec9a8
2019-04-27 RJ_63660656_04272019.zip dfc9cc4a6bd5b83f371b19ef2b18c5fcae4f04be8695e663d15bd573a7171c9f
2019-04-27 YJ_457271849_04272019.zip 63b50e7ce93fdab0b95a444d02d907daf74f81056ab94368b3dd4955f8767e0d
2019-04-27 W-35127286-04272019.zip ac7795737e4e5241c90976342a6bee354e2af567f853a9bf2a570b9752691512
2019-04-27 S_08522576_04272019.zip 0e8328b3d43dfdac59a19a90e7bd3653553d609119da138340d73f653f8cdfbf
2019-04-27 RF_751196411_04272019.zip 066a6661fd36554e12d065facb375a2088aca07e2ae5a1ecffa56252ca258336
2019-04-27 Z_51350273_04272019.zip 6318dc4f090441aead7d4acb91b5b4ce484042d127558c7071d0c4084ae6bfea
2019-04-27 QZ_014831_04272019.zip 214eced5942bcd5bd6843bfab1182141a75506db774259558fb6c946bbedaec8
2019-04-27 HZ-598400524-04272019.zip 2b1027327de2d9ed79c2853a3acadb63925d36f98b95bd473d0b6bbb9ee321a5
2019-04-27 KJ-2624710-04272019.zip ee7f7082709691917156416246e6353c6b6fca4e76b6ffa2e7e866be7f7f1489
2019-04-27 NP-7433735-04272019.zip 8907e1020926056dfd79d477cf5964be83262a2b8972646f551140108b864533
2019-04-26 SS_76933236_04272019.zip 04f919189a3876ed2bf9816314453eaed9cb4b2adc9c07a2c463b413361ebec2
2019-04-26 F_4279392_04272019.zip d70427f00688eeee7531670750d3c5986efa5696b4e9ba11347e18d44e6521f6
2019-04-26 WL_596259776_04272019.zip c61ab072f22c25fff7582807e7018ac903487d4d7ca9c244ddebb924e4a74900
2019-04-26 D_1690006_04272019.zip 7f40512543eb30de588f8644ea6f943bf22dce328ee85e4dd12894e3de24fc51
2019-04-26 SI_424441298_04262019.zip f015c0b946a1926a27b4b294f4153e79bfc52ad269331ed606c486c0a3f72846
2019-04-26 X-22894601-04262019.zip 9d16da900d9c1bbbce1efcd2378ba5457fbdc1a781f222bf6d99c33369c1ca3d
2019-04-26 QC-58000915-04262019.zip 1725656a6b24195280a084c99487261e0154bfe4eb7c8cc89b65d4dba9639501
2019-04-26 GP_864625_04262019.zip f4ce6ee084f3ca0bf3e0bbff369a166d4984dd7dc8f41b89b7aeff48c16e3e3a
2019-04-26 C_44285377_04262019.zip aadc149340745edc98d54f8186cf6c662ec58ffc5a2b89fdbc8db403052edc0a
2019-04-26 D-184811255-04262019.zip 9d99cd5977a02d5f30ee16b4639c94e990f80a8170acbbde30c6a13305fa2422
2019-04-26 H-1856289-04262019.zip 77ed29e9c6b4c53f4078f71978755cbb9b1899bbb8e5e94555106e752e40b3a7
2019-04-26 X_252864_04262019.zip 0defa5c0f8de2bb24bdc40ff4d931b60e11a588cca90417f320bfe00569d5003
2019-04-26 T_585024758_04262019.zip cee67757ca0d02787506eccc72f55c4e84529f304b65ebabec344febb2f6c517
2019-04-26 QL_55658079_04262019.zip e4583e4e230b9f364df52567ed3d6dac8e52e2310f2439f117d9d11d55942bdc
2019-04-26 WK_550214767_04262019.zip 5ccca8b1f7bd845a8ec5a79e2abaeaf288113c49efcfc5488c6db3e49d2b2c79
2019-04-26 T_769194_04262019.zip 0a6d9914849c4506b1bd53cafc6affa40c9bf578aeea3bff887691eb84b0e1d2
2019-04-26 W_398658242_04262019.zip 2aef6025972a45a0db18ce3d06c25c26bd2356ce3f49b57e795c13240706eb24
2019-04-26 FF-04213736-04262019.zip 4666910187899ff52b949b35125af4df226803cbe656d723984aa9fd2e01d455
2019-04-26 CV-48134064-04262019.zip c1ed7eac4ae69ce8294f88100545b9941113778f7045594ea08230f211353c4b
2019-04-26 CG_52828107_04262019.zip 4e42d0c617354a24659a547bd1f5eb155953d8fc65a03d260af6ec0f2dd16342
2019-04-26 SX-623336336-04262019.zip 875bfef2fe7d463be5c334c111939d05a8edb835465bf9db81eb0b2b1d61b31b
2019-04-26 S-511087480-04262019.zip f5f584e0910f3a8783782f00146a402d7b00a7a6b6c497507f37eda997221275
2019-04-26 Q-596217-04262019.zip 900bb55b27fc5d1e365f82daf511f2274fbefd0d29c26fe3227382db662e55ed
2019-04-26 JB_5170115_04262019.zip 209e0cc7acaf75f1b78919d33c7d66f308cb1c5d088bf2d8588106e47a3c99ef
2019-04-26 RD_66965800_04262019.zip f61b5d35177fc00dd7e49f47d6efda64cb25c1427615fd1eaa483a3616aed587
2019-04-26 ZQ-844799-04262019.zip 216658c10d876d66737da243659955be12554ce7e5290ba54e329b7a88873e7b
2019-04-26 M-607300436-04262019.zip b09046a6c5e2eb180d24e00b573768d1507bb903c1c05ac9569edee8254e81ad
2019-04-26 U_8627688_04262019.zip 143486c325ad5e42c9b8d90c8bc3d1696f97b9c7814758cbc13a09217ea194f9
2019-04-26 SB_817002424_04262019.zip df0edbfa7f40d103c957229d2f4a0a32dd45a02137682543d0ac3e5114e09e18
2019-04-26 Y_538123080_04262019.zip e5b8f69e063e27e8796bd1d935f74d9b5f24313e76de5bc7dad9708febd99f09
2019-04-26 FG_15775092_04262019.zip 8c2fa2c978a225e8b04ece69ec2172f8a487a4d155cdd0a9e5d990f867bbe360
2019-04-26 LH_19957226_04262019.zip 67e18a69327f02613d677ea247b3a1ffa1386addf3cfc5443299ce1b85ad51fc
2019-04-26 W-01227774-04262019.zip fcd62dbf48f60bb8f2575a72e7ef5f6d082ba2370ebf55a3848bad0cdf9cddcd
2019-04-26 L-7940789-04262019.zip e0d2dc6087fe531754b5c20b9eaeaf8afe83cde9d29e01f730950b251d7708b2
2019-04-26 MO-315252-04262019.zip 4012dddfc157354f16425471f3875d115143a33785425c19fc0a7cd59640296a
2019-04-25 WY_95940579_04262019.zip cebc80294c29b4e05755048e35c38886e7ab27a8689530c05a8ecc3ff33807f2
2019-04-25 GM_3464852_04262019.zip 2b68c5e2006a8ebf65434d8bed988fb97c47b41a6c1ee22f84dd2c5d2b6f76cb
2019-04-25 JO_3235804_04262019.zip 3d5f036a7b13afd732e46962862c272979bb7000e127a8b17e42a938584ebf92
2019-04-25 W_513675_04252019.zip 9813bca9eb30519a28edf728999389fb2390779bb17306e268c4b46c100cdc84
2019-04-25 BG-1667043-04252019.zip cb2122877fd42a065e9097fd2a59e5e982d8073143f053919a0749c10a43e863
2019-04-25 S_299585442_04252019.zip df87d73a6bc9b56ad6e175667669de268253a6f6bcfadceb53e710d7fb5ce1b1
2019-04-25 Q-940240-04252019.zip c9a700c2039d6714b3ea47584a49fcd276afbd3531fb79fdea21ca7612c8336f
2019-04-25 D_505913756_04252019.zip e2e1734cf70dabc293604f30a667c415dc5504bf2b0834102da3472723ab3c74
2019-04-25 T_3946983_04252019.zip f21d4807cb744df7794adeb6b9473eab6019d1d7616bf6c5d329d7e449daffd1

Each uploaded file contains various types of information from the victim's PC as denoted by the letters preceding the hyphen (-). This is a clever trick used by most hackers to trigger more actions in a nested ways. i.e once BG-****.zip is received do this... etc 

Other URLs used to send and receive commands include:

Date Checked URL
Jun 1, 2019 http://www.jsc.go.ke/wp-content/uploads/scan/6s8imqp09p2yegn204izk6p8sg6_5rg8yf1rgp-9697784181/
Jun 1, 2019 http://jsc.go.ke/wp-content/uploads/scan/6s8imqp09p2yegn204izk6p8sg6_5rg8yf1rgp-9697784181/
May 31, 2019 http://jsc.go.ke/wp-content/uploads/sec.accs.resourses.com
May 31, 2019 http://www.jsc.go.ke/wp-content/uploads/fsnst-nyxiofchbrums8b_opjxkvfzc-xey
May 31, 2019 http://jsc.go.ke/wp-content/uploads/fsnst-nyxiofchbrums8b_opjxkvfzc-xey
May 31, 2019 http://www.jsc.go.ke/wp-content/uploads/scan/6s8imqp09p2yegn204izk6p8sg6_5rg8yf1rgp-9697784181
May 31, 2019 http://jsc.go.ke/wp-content/uploads/scan/6s8imqp09p2yegn204izk6p8sg6_5rg8yf1rgp-9697784181
May 31, 2019 http://www.jsc.go.ke/wp-content/uploads/abno-nckcs534ju0479p_zcrakfvb-wnq
May 31, 2019 http://jsc.go.ke/wp-content/uploads/abno-nckcs534ju0479p_zcrakfvb-wnq
May 30, 2019 http://jsc.go.ke/wp-content/uploads/Scan/6s8imqp09p2yegn204izk6p8sg6_5rg8yf1rgp-9697784181
May 30, 2019 http://www.jsc.go.ke/wp-content/uploads/2019/05/fdbruyrd/
May 30, 2019 http://www.jsc.go.ke/wp-content/uploads/2019/05/fdbruyrd/up_3.048.exe
May 28, 2019 http://jsc.go.ke/wp-content/uploads/Scan/6s8imqp09p2yegn204izk6p8sg6_5rg8yf1rgp-9697784181/
May 25, 2019 http://jsc.go.ke/wp-content/uploads/AbnO-ncKCS534ju0479p_ZcrakfVb-Wnq
May 24, 2019 http://jsc.go.ke/wp-content/uploads/1i65w-ouoocl-sekjr
May 20, 2019 http://jsc.go.ke/wp-content/uploads/
May 13, 2019 http://jsc.go.ke/wp-content/uploads/1i65w-ouoocl-sekjr/
May 7, 2019 http://jsc.go.ke/wp-content/uploads/FSnsT-NYxiOfchbRUms8B_opjXkvFZc-Xey/
Apr 29, 2019 http://jsc.go.ke/wp-content/uploads/sec.accs.resourses.com/
Apr 25, 2019 http://jsc.go.ke/wp-content/uploads/AbnO-ncKCS534ju0479p_ZcrakfVb-Wnq/
Apr 17, 2019 http://www.jsc.go.ke/
Apr 8, 2019 http://jsc.go.ke/wp-content/uploads/7_k/
Apr 8, 2019 http://jsc.go.ke/


Now the attacker probably thought he would access to banking credentials. However, he had done his research well since most users in Kenya transact through M-Pesa and rarely conduct online-banking. A complete analysis of the Emotet Malware can be found on Malwarebytes in case anyone needs to read it...

The Emotet Banking Malware has numerous capabilities ranging from opening up the Remote Desktop Protocol (RDP), stealing stored passwords and keylogging the user's activities.

Now given that the server was compromised in mid-April... the attacker probably got frustrated by the results he was getting from the banking trojan and decided to create a name for himself in the hacking world by defacing the websites.

My final thoughts...

the hacker codenamed... W4R10K translates to Warlock (for those unable to read GEEK)... was a solo hacker who just got lucky...

He/She was just a simple script kiddie who probably didn't even understand the magnitude of data he had gotten access to. That's why he decided to deface the websites... a show of might among his peers which means he probably left numerous digital footprints that will lead to his capture given that the so-called GOK Cyber Security Team is capable of solving the crime... I mean how long does it take to clone a server... get things up and running as investigations continue... and why do they call themselves the GOK Cyber Security Team given the multiple vulnerabilities GOK websites contain... It's their mandate to conduct regular vulnerability scans and security audits... I mean how can a Government run such servers without incorporating an effective Intrusion detection and prevention system (IDPS)... such negligence and incompetence. I have no more to say other than Well done W4rl0k you showed us the true state of the GOK Cyber Security.

Our Cyber Security Consultancy Services

DigiHut Systems offers a range of Vulnerability Assessment, Penetration Testing, Cyber Security Training, Application Development, Physical Security Vulnerability Assessment, and Risk and Mitigation Services to meet your needs. If you still haven't found what you are looking for, kindly reach us to learn more about our services.


Contact US