Fighting Cyber Attacks during the Burmese Elections

9th Nov 10:30 AM – A penetration test via the TOR network

An attempt to find vulnerable plugins running on the Irrawaddy.org site is detected. The attempt is carried out via the TOR network. The attacker scans the themes and plugins folder, and checked for theme/plugin version in the mandatory changelog.txt file.

198.50.231.22 - - [09/Nov/2015:11:28:19 -0500] "GET /wp-content/themes/linepress/changelog.txt HTTP/1.1" 404 41775
162.247.72.217 - - [09/Nov/2015:11:28:27 -0500] "GET /wp-content/plugins/ajax-the-views/changelog.txt HTTP/1.1" 404 41775
185.65.135.227 - - [09/Nov/2015:11:28:33 -0500] "GET /wp-content/plugins/i-recommend-this/changelog.txt HTTP/1.1" 404 41775
178.20.55.18 - - [09/Nov/2015:11:29:03 -0500] "GET /wp-content/plugins/listic-slider/changelog.txt HTTP/1.1" 404 41775
5.9.36.66 - - [09/Nov/2015:11:29:20 -0500] "GET /wp-content/plugins/meenews/changelog.txt HTTP/1.1" 404 41775
46.246.124.44 - - [09/Nov/2015:11:29:28 -0500] "GET /wp-content/plugins/meteor-slides/changelog.txt HTTP/1.1" 404 41775
162.213.1.5 - - [09/Nov/2015:11:29:36 -0500] "GET /wp-content/plugins/nextgen-gallery/changelog.txt HTTP/1.1" 200 72641

9th Nov 2015 – 11 AM Tracking social media

After securing the compromised websites we focus our efforts on better understanding the online presence of UOH.
The Union of Hacktivists has a Facebook group since April 2015.

Union Of Hacktivists' Facebook site.
Union Of Hacktivists’ Facebook site.
“Be careful that your behaviour does not damage the country”
“Be careful that your behaviour does not damage the country”

The last statement, dated the 9th of November reads “Be careful that your behavior does not damage the country”. In Burmese: သင့္အျပဳအမူေၾကာင့္ တိုင္းျပည္မနစ္နာပါေစနဲ႕

A list of defacements performed by the group includes:

http://www.yatanarpon.com.mm/uoh.html 18th of October
http://www.shwefmradio.com/uoh.html 14th October
http://www.mmsdromfinder.com/uoh.html 14th October
http://www.mmstd.com/news/view/5543/?lang=my 12th October
http://burma.irrawaddy.org/index.html 9th October
http://www.nldchairperson.com 4th August (Not confirmed)

Other hacked sites include:

http://www.bnionline.net
http://elevenmyanmar.com April 2015
http://7daynewsjournal.com
http://www.kamayutmedia.com

11th Nov 4:30 AM – The attacker tries to gain access during elections!

We receive an alarm from our monitor script. The attacker has tried to retrieve the Irrawaddy.org website credentials from the log file (log.txt), this time from IP address 122.248.101.151.

burma.irrawaddy.org:122.248.101.151 - - [11/Nov/2015:00:25:11 -0500] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" 
burma.irrawaddy.org:122.248.101.151 - "" [11/Nov/2015:00:25:28 -0500] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" 

In a sequence of transactions, the attacker tries to find out if any of the other backdoors are still active.

bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:31:01] "GET /Backup/noob.php" 
bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:31:08] "GET //Backup/noob.php" 
bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:31:22] "GET /administrator/index.php" 
bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:31:46] "GET /index.php" 
bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:36:17] "GET /index.php?option=com_user&view=login" 
bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:36:31] "POST /index.php/component/user/" 
bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:36:32] "GET /index.php" 
bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:37:16] "GET /index.php" 
bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:37:16] "POST /index.php/component/user/" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:25:45] "GET /phpinfo.php?1=" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:25:57] "GET /phpinfo.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:28:08] "GET /fix.php?1=ls" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:28:34] "GET /content/index.php?1=ls" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:29:51] "GET /wp-content/wp-cache-config.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:29:55] "GET /wp-content/wp-cache-config.php?1=ls" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:29:59] "GET /wp-content/wp-cache-config.php?1=ls%20-al" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:30:12] "GET /wp-includes/http.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:30:16] "GET /wp-includes/http.php?1=ls" 
election-bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:32:50] "GET /index.php?option=com_user&view=login" 
election-bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:33:18] "GET /index.php" 
election-bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:33:18] "POST /index.php?option=com_user" 
election-bur.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:36:00] "GET /index.php?option=com_user&view=login" 
election.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:34:02] "GET /index.php" 
election.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:34:25] "GET /index.php?option=com_user&view=login" 
election.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:34:36] "GET /index.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:34:51] "GET /test.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:35:30] "GET /wp-content/wp-polls/polls-logs.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:35:41] "GET /wp-content/plugins/wp-polls/polls-logs.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:35:44] "GET /wp-content/plugins/wp-polls/polls-logs.php?1=ls" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:39:40] "GET /wp-login.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:40:26] "POST /wp-login.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:46:00] "GET /wp-login.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:46:44] "GET /wp-login.php" 
burma.irrawaddy.org:122.248.101.151 [11/Nov/2015:00:47:00] "POST /wp-login.php" 

12th Nov 15 PM – Show is over

As a result of our intervention, the Irrawaddy’s news sites have worked flawlessly during the election period. During the past 7 days, the following actions have been taken to secure the infrastructure of Irrawaddy:

  1. Received credentials from the affected organization
  2. Identified Cloudflare mitigation bypass methods
  3. Identified Origin server
  4. Reviewed the existing plugins and its vulnerabilities
  5. Identified malicious activity in two servers and several backdoors
  6. Removed backdoors and installed an alert system to track when the intruders were trying to access the server again.
  7. Disabled PHP functions that could be exploited by the attackers
  8. Reset all passwords from main CMSs
  9. Enforced files system attributes to deny file access to critical part of the CMSs
  10. Identified a new vulnerability scan via the TOR network
  11. Communicated the results of our findings to the Irrawaddy team on a daily basis.

The attackers are now aware of our existence and interventions, as they have noticed that their backdoors have been blocked. We are now closing this Rapid Response case.