SG Prime Minister Office compromised
After Anonymous’s threat of major attacks on 5th Nov 2012 and Prime Minister’s mentioned about sparing no effort to bring attackers to justice (http://www.channelnewsasia.com/news/singapore/govt-will-spare-no-effort/876922.html)
Almost immediately after, the PMO’s website was hacked (http://www.thejakartaglobe.com/international/singapore-prime-ministers-website-hacked-after-lee-threatens-anonymous/), with some people attributing this to Anonymous (http://sg.news.yahoo.com/singapore-pms-website-hacked-anonymous-175123528.html)
IDA’s official statement can be found at http://www.channelnewsasia.com/news/singapore/subpages-on-pmo-and/878906.html
The Infocomm Development Authority of Singapore (IDA) said vulnerability in a Google search bar within the sites was targeted and that the integrity of both sites had not been compromised.
Separately, IDA said it observed an "unusually high" amount of traffic to many government websites on 5 November – which indicated attempted cyber-intrusions.
Ok so lets take this into perspective before blowing things out of proportion
- Hacking is not like what you see in the movies, a few keystrokes and you are in. It is definitely way more than that
- ONLY NOOBS attempt DDOS attacks, this typically comes from people who have nmaps, kismet, sqlmap etc installed (these are the PUBLICLY available tools), some might even throw in age old worms like the Nimbda virus for kicks
- In any form of hacking, the weakest chain is ALWAYS HUMANS
- Social engineering
- Never changing password
- Use obvious passwords
- Use SAME passwords etc
Ok, so lets now look at the PMO case from a white hat perspective:
Firing up the website, all content looks pretty normal.
What is interesting is that all seems to be static content and comes with an ETag(meaning the content should be cached locally) and sent gzipped (which typically means a load balancer or some hardware device is proxying the content). Other identifying headers are also stripped out, so this should be a typical hardened server, not easy to hack into!
A simple ping test reveals that the content is hosted on akamai –> PURELY static content, which means hacking this is a waste of time, there is probably an admin interface or better still backend job that syncs the content over, and which you will never have direct access to.
Just to be sure, an attempt to a non-existent page is tried. Conclusion is still the same, no point hacking this server.
Looking further at the site, we find a search bar. Now anyone with some IT background would know that a search bar displays DYNAMIC results so this cannot be cached by akamai i.e possible target to attempt non intrusive take over
Doing a simple search which comes up in a POP UP windows (indicating something that was not changed for ages) throws up the following screen and gems
A host :wasdc.shine.gov.sg which resolves to an ip address
Which belongs to IDA
A request timed out ping also indicates that the server has been hardened and possibly have a RDP port outside of 3389 as well as no other open ports except port 80.
Now from the headers, it indicates IIS7.5, which means that it is running Windows Server 2008 R2.
Now some of you might remember Microsoft indicating a zero day attack around the same time. The CVE number is CVE-2013-3906 (http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx) which is a vulnerability in MSWord. I highly doubt this is used as the launchpad.
So back to the server. In a typical enterprise, patches are never installed on Patch Tuesday, they will have to go thru staging, testing and what not, meaning the server might not be patched. Chances are the administrator would also have installed the GUI for ease of configuration.
So now I have my possible attack vector, target Windows Server 2008 R2 exploits especially those pertaining to IIS 7.5.
I shall stop here and leave out the HOW of attacking a web server
Just like to point out a few things before I end off
- Notice how all the things that I’ve done so far, looks like a normal process to anyone watching the logs if it even generated any.
- I’ve left out social engineering and social media tracking from the picture (although this is one of the most used tools)
- No DDos, portscan or any analysis which will cause high traffic is done, why? Because every system in the world takes this to be the first sign of a cyber attack and have configuration in place to block them.
- I’m pretty sure the attack is NOT done by Anonymous, they are way better than that