Wednesday, January 15, 2025

Hackers claim to have defaced a subdomain of DICT eGov website

Update: This story previously mentioned the eGov PH Super App. However, DICT undersecretary David Almirol clarified that the eGov PH Super App was not affected by the issue. What was affected, he said, was a subdomain of the eGov website and that no eLGUs nor e-government systems were breached.

Philippine-based group Deathnote Hackers International has claimed to have breached a subdomain of the eGov PH website related to its E-Local Government Unit (eLGU) component through an upload vulnerability.

On Saturday morning Aug. 10, the hacktivist group posted a screenshot on social media of their defacement message uploaded to files.e.gov.ph, alerting the Department of Information and Communications Technology (DICT) of a flaw which allowed unrestricted uploads to the files subdomain of the eGov website (part of the eLGU system).

They also posted mirror links of the defacement, and archived the defaced page on the Internet Archive Wayback Machine as proof of their exploit.

They then warned the DICT that the department had a choice: act now to secure the eLGU system or “face the consequences”. They stated that the flaw is a ticking time bomb which could result in a situation that no amount of IT support could fix if not addressed immediately, and that the “next visitor” might not be as friendly.

An unrestricted file upload vulnerability can be dangerous to an IT system exposed to the Web as it can be used to deploy further exploits such as Web shells and other malicious scripts.

A Web shell is a Web-based application that is similar to a command prompt or terminal which can allow attackers to execute commands and take control of a server remotely — potentially enabling the reading and writing of files, as well as escalation of privileges to gain further control of a system.

Privacy and ICT advocates have been critical of the Philippine government’s eGov program as an “all eggs in one basket situation” that will be disastrous to the Filipino people should hackers breach it because it aggregates enormous amounts of sensitive citizen information in a centralized repository. This makes it a massive target for threat actors.

The defaced page was taken down by the DICT by Saturday evening, and shortly after, the vulnerabilities fixed according to Usec. Almirol.

Deathnote Hackers claims to have only uploaded the defacement page as proof-of-concept for the existence of the vulnerability, but observers said the DICT needs to act immediately to secure the eGov systems as reports of the flaw will have alerted other hacking groups.

In a statement on LinkedIn, DICT undersecretary David Almirol clarified the situation with technical details. While the attackers were able to upload a file to the files.e.gov.ph subdomain, they could not do anything beyond uploading a file and could not execute PHP Web Shells on the system as the subdomain is an S3 bucket used exclusively for file storage.

In November 2023, security researcher Christian Angel discovered that the eGov PH Android app was hardcoded with a secret key embedded within its code, a bad coding practice which poses security risks to end users as it may allow attackers unauthorized access to sensitive user data. After coordinating with the DICT, an updated version of the app with a patch was released after the vulnerability was reported in private.

Extreme caution is advised to the public on visiting URLs posted by hackers, and sites currently defaced by them. Visiting one of the August 10 snapshots of https://e.gov.ph on the Internet Archive Wayback Machine will cause browsers to attempt to separately download what appears to be a JSON file from the malformed webpage snapshot.

Cybersecurity advocacy group Deep Web Konek first alerted the public of this incident.

Subscribe

- Advertisement -spot_img

RELEVANT STORIES

spot_img

LATEST

- Advertisement -spot_img