Hacker vs. UniKL – TA perspective

Editor note: As part of responsible disclosure, the matter has been sent out to MOHE IT/Network Security and MyCERT with the reference number of MyCERT-202103221082. I recently got contact of the CEO of UNIKL and the article was forwarded to him for further action. 

In most breach stories, we often hear one side of the story. Since I reported the breach, UniKL has not yet reached out to me, nor any press release was seen regarding the matter. As observers, you only see the well drafted press release, often concealing the details of what happened. The extent of any incident is only determined when and if the attacker decides to publish the data. While I had no intentions of writing anything further on this matter, a close peer nudged me and said that I should write a second piece on this story. There wasn’t much to pursue, but fate has it, had other plans.

As the earlier article went live on Linkedin, the attacker, Marwaan (I think i spelt it right) came publicly, replying to the article thread and responded to the thread, claiming responsibility. This is a rare opportunity, providing all of a look into the attacker and the attack. Marwaan agreed to an interview. The full length of the interview will be published by SecurityLah podcast.

But first, if someone claims responsibility, I need to be certain about the claim. Trust, but verify. So i asked for some proof on unpublished information that would validate Marwaan’s claim. A screenshot was provided, attached as below.

That pretty much, to me, confirms that he is indeed the attacker, or at best, someone who has access to the data. Good enough for me. Let’s continue.

(No spoiler’s here, but listen to the full length interview, to be published in 2 parts starting Monday 29 March 2020. at SecurityLah)

I was curious about whether Marwaan had indeed contacted UniKL regarding this matter. I asked him proof of the issue, and he provided screenshots of emails sent to UniKL pertaining to this matter.

From this, it seems to corroborate Marwaan’s narrative that he reached out to UniKL regarding the system weaknesses.

Some key pointers I picked up throughout the interview. UniKL seemed to have taken the matter lightly, and not done an assessment and full incident response. Marwaan also confirmed that based on his knowledge, there is only an IT and Communications team, but clearly lack presence of a cyber security team. Marwaan went on to explain that they had taken the “google” approach of search and deploy controls without understanding what needs to be done, and at times blindly trusting information provided by Marwaan.

This doesn’t bode well for UniKL, which seem to have been seen not managing the situation and respond accordingly. I’m happy to be able to get details from UniKL to present a balanced view on what happened, from their perspective, with necessary proofs to back their claim up, just like what I did with Marwaan. So far, whatever that has been shown, seems to put UniKL in a negative light.

2 key issues i picked up from this incident for this article.

First, incident reporting. Do organizations have a way for general public to report cyber security incidents? When I googled “UniKL report cybersecurity incident”, I see links of UniKL and its cybersecurity programs, but not actually anything related or allowing general public to report cyber security incidents. A case of not practicing what they preach as they teach cyber security? This certainly erodes my confidence to even think of studying there, especially cyber security. Marwaan also explained that he was given the run around, with staffs not even knowing what to do when someone reports such issues.

Do your organization suffer from such problems? Only you know.

Secondly, organizations are ill-prepared to face such issues. Incident response and coordination needs severe improvement. In any instance, when such incidents happen, organizations will alert key stakeholders on the incident, prepare a holding statement to manage the press and issue a first stab at this matter. The approach of “lets-be-silent-and-this-will-go-away” usually ends up making the organization guilty of concealment, lowers trust on the ability of the management and creates opportunity for further speculation. At this point, I have written 2 articles and data of the students, staffs, bank details may be circulating somewhere, which opens up opportunity for future attacks to be even more deadly. Imagine if the bank account was cleared as the attacker has access to the machines logged into the bank portal?

What can happen from here?

It all depends on the authority. The spillage of the attack has been confirmed to even hit MOHE, which creates high severity of this matter. MyCERT has been involved (or notified, by myself and also the attacker), and will most likely issue a holding statement, if this matter blows up. The Personal Data Protection Commission is yet to be seen on this matter (I wonder if MyCERT will reach out and inform them and do a joint investigation). While MOHE falls under the category of CNII (Critical National Information Infrastructure), UniKL doesn’t. However, by nature of processing personal data, UniKL will come under PDPA requirements.

Malaysia lacks reporting requirements for breaches. FireEye made the Solarwinds hack announcement as part of SEC filing. It’s time Malaysia starts looking at something similar, or better. Until such regulations become mandatory, we will continue to see organizations sweeping such issues under the carpet, paving way for more deadly and catastrophic attacks to be possible. We as a country may have recently launched a strategy, but it remains a strategy until something firm is implemented and enforced. Logically, the world is facing a pandemic, and the focus is on the issue, but cyber threats don’t look at whether it’s pandemic, or not, will continue to persist.

I’m sitting by the sideline, with my box of [redacted] popcorn watching to see how this unfolds. One thing’s for sure, there are tonnes of wisdom to be learnt from this incident.

Reference:

  1. UniKL Hack – Dr. Suresh Ramasamy – https://www.linkedin.com/pulse/case-study-unikl-hacked-ramasamy-cissp-cism-gcti-gnfa-gcda-cipm/
  2. CNII – CyberSecurity Malaysia – https://cnii.cybersecurity.my/main/about.html