hack

Drama Bulan Ini: The UniKL Hack

This isn’t your typical “I-got-breached/hacked” case study. In fact, I found it so interesting, initially I didn’t pay much attention. What got to me was the level of details that the hacker was able to provide to prove the hack was indeed real and pretty much placed the smoking gun in his hands.

Let’s dive into the details.

UniKL is a Malaysian based university wholly owned by MARA (Majlis Amanah Rakyat), an agency under the Malaysian Ministry of Rural Development. UniKL has campuses spread across the country.

So what happened?

A hacker was seen selling information obtained through hacking on UniKL. The following is the posting from the hacker.

No alt text provided for this image

It seems that the hacker was not happy with UniKL’s response, which resulted the posting of the leak. The conversation with the hacker was made available by a twitter user publicly.

No alt text provided for this image

The hacker in fact reached out to UniKL on this matter.

No alt text provided for this image

However UniKL didn’t seem to take heed in the initial parts, claiming it’s under control. The hacker, unhappy with the situation, took the matter to Facebook to complain about it.

No alt text provided for this image

Is it just me, or the hacker seems to be emotionally involved with the hack? Getting emotionally involved with the hack seems, (i dont know), dangerous? Emotions aside, was there really a hack?

Looking into the breach data

The hacker proceeded to provide proofs of breach.

No alt text provided for this image
No alt text provided for this image
No alt text provided for this image

From the screenshots we see student details as well as system to manage staff credentials.

No alt text provided for this image

Web Application – ASP.NET configuration file

No alt text provided for this image

Shared Folder contents and video recordings

No alt text provided for this image

What appears to be a database dump in SQL format

No alt text provided for this image

Screenshot of UniKL’s e-Procurement Requisition Systems\

Talking to the hacker

There was a conversation recorded between a person and the hacker.

No alt text provided for this image
No alt text provided for this image

The hacker even divulged the staff identity whom he/she spoke to regarding the matter. (I dont know if this qualifies as doxxing, since it is a public profile).

No alt text provided for this image

Seems like the hacker is pretty much deep into UniKL’s infrastructure. What scares me is that the person also had access into UniKL’s CIMB account!

While CIMB Corporate banking requires 2FA, the attacker most likely had remote access into the shared PC which is used by Finance department for processing payments. Imagine the ability of doing a fund transfer fraudulently?

My assessment on this matter

Based on all the details provided, its can be said with high confidence that UniKL is breached. The extend of breach warrants a serious look into the IT management/operations and indicates poor cyber security hygiene, judging from the amount of data amassed by the attacker.

It’s also confirmed with high confidence that this is NOT a nation state threat actor. Its most likely the work of an individual who seem to have vested interest in UniKL, judging from the emotional outburst.

There seem to be dialogue between the hacker and UniKL. From the conversation between the 2 parties, it seems the approach taken went sour to the point of the attacker publishing the breach. Unconfirmed news mentioned that the hacker tried to extort UniKL and didn’t work, while the hacker claims that he/she was trying to remedy the situation. Eitherways, it is obvious that the situation went south which created the breach going public. Also noted that UniKL did not make press release about the matter (as of the writing of this article), which indicates either downplaying the issue or hoping it goes away), which is a poor approach, causing the issue to now blow up publicly (PR needs to be improved).

A lot of lessons learnt in this incident, a lot of what-you-should-not-do in such incidents.

Reference

  1. UniKL – About Us – https://www.unikl.edu.my/about-us/
  2. Twitter – Kimmohito http://www.twitter.com/kimmohito

This post originally appeared at https://www.drsuresh.net/2021/03/unikl-hack/