This isn’t your typical “I-got-breached/hacked” case study. In fact, I found it so interesting, initially I didn’t pay much attention. What got to me was the level of details that the hacker was able to provide to prove the hack was indeed real and pretty much placed the smoking gun in his hands.
Let’s dive into the details.
UniKL is a Malaysian based university wholly owned by MARA (Majlis Amanah Rakyat), an agency under the Malaysian Ministry of Rural Development. UniKL has campuses spread across the country.
So what happened?
A hacker was seen selling information obtained through hacking on UniKL. The following is the posting from the hacker.
It seems that the hacker was not happy with UniKL’s response, which resulted the posting of the leak. The conversation with the hacker was made available by a twitter user publicly.
The hacker in fact reached out to UniKL on this matter.
However UniKL didn’t seem to take heed in the initial parts, claiming it’s under control. The hacker, unhappy with the situation, took the matter to Facebook to complain about it.
Is it just me, or the hacker seems to be emotionally involved with the hack? Getting emotionally involved with the hack seems, (i dont know), dangerous? Emotions aside, was there really a hack?
Looking into the breach data
The hacker proceeded to provide proofs of breach.
Exhibit 1,: seems like a listing of students.
Exhibit 2: More student listing.
Exhibit 3: Student details
Exhibit 4: ASP.NET application configuration
Wow. Just wow. In my lingo, we call that pwnage! But wait, there’s more!
Exhibit: Videos from a shared folder
Exhibit: SQL data dump
Exhibit (i lost count): e-Procurement System (wait, this is supposed to be super confidential!).
Talking to the hacker
There was a conversation recorded between a person and the hacker.
Seems like the hacker is pretty much deep into UniKL’s infrastructure. What scares me is that the person also had access into UniKL’s CIMB account!
While CIMB Corporate banking requires 2FA, the attacker most likely had remote access into the shared PC which is used by Finance department for processing payments. Imagine the ability of doing a fund transfer fraudulently?
The hacker seems to know how badly the Authentication system is broke.
A giveaway on tradecraft – SQL injection.
The hacker does not like being ignored. And seems to have presence/persistence in the network
The hacker even divulged the staff identity whom he/she spoke to regarding the matter. (I dont know if this qualifies as doxxing, since it is a public profile).
My assessment on this matter
Based on all the details provided, its can be said with high confidence that UniKL is breached. The extend of breach warrants a serious look into the IT management and indicates poor cyber security hygiene, judging from the amount of data amassed by the attacker.
It’s also confirmed with high confidence that this is NOT a nation state threat actor. Its most likely the work of an individual who seem to have vested interest in UniKL, judging from the emotional outburst.
There seem to be dialogue between the hacker and UniKL. From the conversation between the 2 parties, it seems the approach taken went sour to the point of the attacker publishing the breach. Unconfirmed news mentioned that the hacker tried to extort UniKL and didn’t work, while the hacker claims that he/she was trying to remedy the situation. Eitherways, it is obvious that the situation went south which created the breach going public. Also noted that UniKL did not make press release about the matter (as of the writing of this article), which indicates either downplaying the issue or hoping it goes away), which is a poor approach, causing the issue to now blow up publicly (PR needs to be improved).
A lot of lessons learnt in this incident, a lot of what-you-should-not-do in such incidents.
- UniKL – About Us – https://www.unikl.edu.my/about-us/
- Twitter – Kimohitomo http://www.twitter.com/kimmohito