Kenyan Government Websites Hacked/Defaced 2019: A Hypothesis On How The Hack Occurred
The Kenyan government has been riddled with cases of corruption in every sector. The same corruption leads to the hiring of incompetent individuals to perform tasks that are critical to government services. According to a survey conducted by the EACC, bribery, favoritism, nepotism, and embezzlement of funds remain the most prevalent form of corruption in Kenya. The same happened in this case.
Our Hypothesis on How the attack Occured
A survey conducted by the Ethics and Anti-Corruption Commission (EACC) in 2016 shows that procurement, finance, public service boards, road, and public works are among the top departments prone to corruption. Procurement of IT services is also conducted in a similar manner where one has to part with a 'kakitu' or know someone very prominent to be awarded a tender. Like all most hustlers in Kenya, most individuals who purport to be IT experts in this country are merely self-taught web designers/ poorly trained ICT individuals from unequipped local colleges. For the most part, they know little or nothing regarding cybersecurity as it applied to web servers and web applications.
A superficial look into the hacking event that occurred on 1st June 2019 where at least 18 government (GOK) owned and operated websites were breached and defaced reveals the level of negligence that floods the Kenya ICT industry.
I started my investigation on Tue June 4th at 21:28:14 on behalf of DigiHut Systems from the domain www.nys.go.ke (belonging to the National Youth Service) which a quick name server lookup reveals it resolved to the IP 220.127.116.11.
Server: 18.104.22.168 Address: 22.214.171.124#53 Non-authoritative answer: Name: www.nys.go.ke Address: 126.96.36.199
Further enumeration of the host reveals that the main authors registered on the Site are Matayo Odongo who's liked in profile shows he works at GOK-Kenya as an Information and Communication Technology Officer (ICTO) and Caroline Jomo who's LinkedIn profile indicates works as an ICTO at the Ministry of Regional Development Authorities (MORDA).
[!] 2 users exposed via API: http://www.nys.go.ke/wp-json/wp/v2/users +----+---------------+-------------------------------------------+ | ID | Name | URL | +----+---------------+-------------------------------------------+ | 3 | matayo odongo | http://www.nys.go.ke/author/matayo_admin/ | | 4 | caroline jomo | http://www.nys.go.ke/author/nys_caroline/ | +----+---------------+-------------------------------------------+
Opening the IP resolves to the National Government Affirmative Action Fund website whose URL is (ngaaf.go.ke).
now a quick nmap enumeration of potential server folders reveals something interesting... the server is misconfigured. It serves two different websites based on the port used to access it.
port 80 (http) -> serves the ngaaf.go.ke which is a Joomla based.
port 443 (https) -> redirects to the defaced version of the National Development Implementation and technical Communication department (NDITC) which is supposed to be a subdomain of the ICT Authority (ict.go.ke) served at https://nditc.ict.go.ke. which is built on WordPress...
| => nmap -sV --script=http-enum 188.8.131.52 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-04 21:30 EAT Nmap scan report for 184.108.40.206 Host is up (0.070s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd (PHP 7.0.32) | http-enum: | /administrator/: Possible admin folder | /administrator/index.php: Possible admin folder | /logs/: Logs | /robots.txt: Robots file | /administrator/manifests/files/joomla.xml: Joomla version 3.8.1 | /language/en-GB/en-GB.xml: Joomla version 3.8.1 | /htaccess.txt: Joomla! | /README.txt: Interesting, a readme. | /bin/: Potentially interesting folder | /cache/: Potentially interesting folder | /images/: Potentially interesting folder | /includes/: Potentially interesting folder | /libraries/: Potentially interesting folder | /modules/: Potentially interesting folder | /templates/: Potentially interesting folder |_ /tmp/: Potentially interesting folder |_http-server-header: Apache 443/tcp open ssl/http Apache httpd (PHP 7.0.32) | http-enum: | /wp-login.php: Possible admin folder | /readme.html: Wordpress version: 2 | /wp-includes/images/rss.png: Wordpress version 2.2 found. | /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found. | /wp-includes/images/blank.gif: Wordpress version 2.6 found. | /wp-includes/js/comment-reply.js: Wordpress version 2.7 found. | /wp-login.php: Wordpress login page. | /wp-admin/upgrade.php: Wordpress login page. |_ /readme.html: Interesting, a readme. |_http-server-header: Apache Nmap done: 1 IP address (1 host up) scanned in 515.72 seconds
Now I wanted to quit here seeing that the WordPress version in use is version 2.7 at best because that is just plain negligence... but then again it could be that the so-called hackers managed to upload a custom-made website instead of defacing the original website... I mean that what I would do... Who has time to modify themes...
To continue I did I quick google search of the parent IP... seeing that the ICT Authority decided to economize and use a single misconfigured server with a single IP to server multiple websites... and I bet there was little isolation of the websites and when one was pwned all were pwned. That's my first hypothesis so far at least... the question is which vulnerability did they exploit...
So I continued the analysis...
I googled the IP...
Now, this was just unbelievable...
ifmis.go.ke was hosted on the same server...
other websites were also hosted on the same server as shown below
Now a complete reverse look of the subnet reveals even more interesting results as attached in the file below...
Now for the kicker...
I'll let everyone have some fun first just google 220.127.116.11:80 or visit my Results and explore...
for those who don't understand the results...
There was an upsurge of malware analysis conducted on URLs, and documents hosted on the web server; Most of them malicious.
The first appearance of the searches dates back to April 13, 2019. So the server was most likely compromised during this period.
The scans may be from two parties.
- the Hackers trying to check if their hacks were detectable of fully undetectable (FUD) as evident from the malware scans.
- Cybersecurity analysts after the incident occurred.
Now the later seems more viable given that owning an account on one of these online malware analysis services can set you back Kshs. 600,000 a year. Reported incidents are from @Spamhaus an International Threat Intelligence Organization providing highly-trusted real-time actionable data on spam, phishing, botnets and malware sources., @Cryptolaemus1 a malware/bug hunter.
That's it... my first hypothesis has been confirmed...
I didn't even take an hour...
The attack could not have been targeted hence I will only present one scenario that describes how they got access, how they leveraged the server and why they defaced the websites.
SCENARIO 1: NULLED SCRIPTS (Lucky script kiddie...)
No this is more probable and accounts as my 2nd hypothesis.
Since the majority of the websites are 'proudly' powered by WordPress, the attackers might not have necessarily targeted government websites but were merely lucky to land on top government websites running nulled/cracked but bugged versions of themes and plugins from popular file sharing websites such as wplocker.com. Which raises concerns regarding the competency of web developers hired by the GOK to build their websites. Now, this is a viable hypothesis given that I found at least four government and parastatal websites using nulled themes as shown below.1. KEMSA website
2. Coffekenya.go.ke[+] Name: healthflex - v1.0.0 | Location: http://www.kemsa.co.ke/wp-content/themes/healthflex/ | Readme: http://www.kemsa.co.ke/wp-content/themes/healthflex/README.txt | Changelog: http://www.kemsa.co.ke/wp-content/themes/healthflex/changelog.txt [!] An error_log file has been found: http://www.kemsa.co.ke/wp-content/themes/healthflex/error_log | Style URL: http://www.kemsa.co.ke/wp-content/themes/healthflex/style.css | Theme Name: HealthFlex (shared on wplocker.com) | Theme URI: http://plethorathemes.com/healthflex/ | Description: Multipurpose Medical WordPress Theme | Author: Plethora Themes | Author URI: http://plethorathemes.com | License: GNU General Public License v2 or later | License URI: http://www.gnu.org/licenses/gpl-2.0.html | Tags: responsive-layout, theme-options, translation-ready
[!] Title: WordPress Slider Revolution Local File Disclosure Reference: https://wpvulndb.com/vulnerabilities/7540 Reference: http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html Reference: http://packetstormsecurity.com/files/129761/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579 Reference: https://www.exploit-db.com/exploits/34511/ Reference: https://www.exploit-db.com/exploits/36039/ [i] Fixed in: 4.1.5 [!] Title: WordPress Slider Revolution Shell Upload Reference: https://wpvulndb.com/vulnerabilities/7954 Reference: https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/ Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_revslider_upload_execute Reference: https://www.exploit-db.com/exploits/35385/ [i] Fixed in: 3.0.96
Since the scripts are nulled, one cannot get the latest versions of the themes/plugins hence leaving the server susceptible to hacking through publicly available exploits code (mostly Proof-of-Concept [POC] codes). For instance the Judicial Service Commision website (www.jsc.go.ke) revealed it uses outdated plugins.
[!] Title: LayerSlider 4.6.1 - Style Editing CSRF Reference: https://wpvulndb.com/vulnerabilities/7152 Reference: http://packetstormsecurity.com/files/125637/ [i] Fixed in: 5.2.0 [!] Title: LayerSlider 4.6.1 - Remote Path Traversal File Access Reference: https://wpvulndb.com/vulnerabilities/7153 Reference: http://packetstormsecurity.com/files/125637/ Reference: https://secunia.com/advisories/57309/ [i] Fixed in: 5.2.0 [!] Title: LayerSlider <= 6.2.0 - CSRF / Authenticated Stored XSS & SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8822 Reference: http://wphutte.com/layer-slider-6-1-6-csrf-to-xss-to-sqli-with-poc/ Reference: https://support.kreaturamedia.com/docs/layersliderwp/documentation.html#release-log [i] Fixed in: 6.2.1 [!] Title: Visual Composer <= 4.7.3 - Multiple Unspecified Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8208 Reference: http://codecanyon.net/item/visual-composer-page-builder-for-wordpress/242431 Reference: https://forums.envato.com/t/visual-composer-security-vulnerability-fix/10494/7 [i] Fixed in: 4.7.4
Results from the IFMIS websites are even more troubling... the website is outdated which means it is susceptible to multiple exploits.
Now at this point, I was sure I had understood how the attacker managed to pwn the server and why he defaced the websites and what his actual intent was.
He exploited a vulnerability in one of the WordPress websites allowing him to upload a PHP shell. Most probably a known and identifiable PHP shell based on its signature. It was probably created using weevely since I hardly doubt the attacker is capable of building his own shell script. Having had access to the server... the attacker uploaded a Microsoft Office document packed with malicious macros-based malware downloader which has been widely shared in the darknet and is also employed by the troublesome Emotet Banking Malware.
The bugged doc file that was used to deliver the malware was downloadable from http://jsc.go.ke/wp-content/uploads/1i65w-ouoocl-sekjr/ I have the actual file from the server in case someone needs it...
Now the attacker tries to trick the user into allowing macros in the document by placing a message that one must click "Enable Editing" and "Enable Content" before the document reveals the content. By so doing, a user activates macros which are disabled by default in MS Office due to their exploitable nature. On Enabling content, the document runs a PowerShell script that calls on the download URL (http://www.jsc.go.ke/wp-content/uploads/2019/05/fdbruyrd/up_3.048.exe) dropping a Malware on the user's PC and running it.
Now like any other hacker out there... the main motivation for hacking is money. The downloader MS Office Document downloaded an executable from the compromised Judiciary website http://www.jsc.go.ke/wp-content/uploads/2019/05/fdbruyrd/up_3.048.exe
The Downloaded executable was probably the Emotet Banking Malware which sent back data from penetrated PCs back to http://jsc.go.ke/wp-content/uploads/AbnO-ncKCS534ju0479p_ZcrakfVb-Wnq/ as shown by the report below.
The URL http://jsc.go.ke/wp-content/uploads/7_k/ was used as the command and control center for receiving and downloading commands allowing the download of more malware onto the user's PC.
|First seen||Filename||Payload (SHA256)|
Each uploaded file contains various types of information from the victim's PC as denoted by the letters preceding the hyphen (-). This is a clever trick used by most hackers to trigger more actions in a nested ways. i.e once BG-****.zip is received do this... etc
Other URLs used to send and receive commands include:
Now the attacker probably thought he would access to banking credentials. However, he had done his research well since most users in Kenya transact through M-Pesa and rarely conduct online-banking. A complete analysis of the Emotet Malware can be found on Malwarebytes in case anyone needs to read it...
The Emotet Banking Malware has numerous capabilities ranging from opening up the Remote Desktop Protocol (RDP), stealing stored passwords and keylogging the user's activities.
Now given that the server was compromised in mid-April... the attacker probably got frustrated by the results he was getting from the banking trojan and decided to create a name for himself in the hacking world by defacing the websites.My final thoughts...
the hacker codenamed... W4R10K translates to Warlock (for those unable to read GEEK)... was a solo hacker who just got lucky...
He/She was just a simple script kiddie who probably didn't even understand the magnitude of data he had gotten access to. That's why he decided to deface the websites... a show of might among his peers which means he probably left numerous digital footprints that will lead to his capture given that the so-called GOK Cyber Security Team is capable of solving the crime... I mean how long does it take to clone a server... get things up and running as investigations continue... and why do they call themselves the GOK Cyber Security Team given the multiple vulnerabilities GOK websites contain... It's their mandate to conduct regular vulnerability scans and security audits... I mean how can a Government run such servers without incorporating an effective Intrusion detection and prevention system (IDPS)... such negligence and incompetence. I have no more to say other than Well done W4rl0k you showed us the true state of the GOK Cyber Security.
Our Cyber Security Consultancy Services
DigiHut Systems offers a range of Vulnerability Assessment, Penetration Testing, Cyber Security Training, Application Development, Physical Security Vulnerability Assessment, and Risk and Mitigation Services to meet your needs. If you still haven't found what you are looking for, kindly reach us to learn more about our services.