{"id":7560,"date":"2021-02-11T20:49:26","date_gmt":"2021-02-12T03:49:26","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7560"},"modified":"2023-04-05T12:41:12","modified_gmt":"2023-04-05T19:41:12","slug":"sri-lankan-domain-attack-exposed-credentials-available-in-dark-web-for-eight-years","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/sri-lankan-domain-attack-exposed-credentials-available-in-dark-web-for-eight-years\/","title":{"rendered":"Sri Lankan Domain Attack: Exposed Credentials Available in Dark Web for Eight Years!"},"content":{"rendered":"
\nInvestigations on the Sri Lankan Domain attack reveal that threat actors could have used exposed credentials and vulnerabilities to breach and redirect the websites. These credentials have been exposed on the dark web for the past eight years!<\/strong><\/span><\/span><\/p>\n<\/blockquote>\n
On Feb 6, 2021 Sri Lanka, several .lk domains (under LK Domains) crashed and were redirected to web pages that highlighted social issues that impact the people of the island. While many local business websites were impacted by this attack, two high profile domains Google.lk and Oracle.lk were affected and their visitors redirected to other pages. Incidentally, on Feb 4, 2021, Sri Lanka celebrated its official National Independence day. The fact that this attack happened two days after this landmark celebration is very telling.<\/span><\/span><\/p>\n
CSW\u2019s R & D team investigated this attack and found many interesting and surprising findings –<\/span><\/span><\/p>\n
NIC.LK Domain credentials Exposed\u00a0<\/span><\/h2>\n
NIC.LK domain user names and their passwords have been exposed in the dark web. These username and password combinations have been used in multiple sites (www.gonitro.com<\/a>, www.netlog.com<\/a>, www.sharethis.com<\/a>, www.exactis.com<\/a>, www.linkedin.com<\/a>, www.apollo.io<\/a>, www.000webhost.com<\/a>) since 2012. The password for all credentials seems to have remained the same for almost eight years and has been used in all these domains over the years!<\/span><\/span><\/p>\n
Redirected URL Investigation<\/span><\/h2>\n
We investigated one of the URLs where the domain was redirected and found that it belonged to DigitalOcean, a cloud provider in Singapore.\u00a0<\/span><\/span><\/p>\n
<\/span><\/p>\n
Internet facing assets<\/span><\/h2>\n
We found over 90 internet facing assets identified in one network range which also had 39 vulnerabilities. \u00a0 We researched these weaknesses and following are our findings –<\/span><\/span><\/p>\n
\n
- 10 out of 39 vulnerabilities are RCE exploit type – which is most dangerous.\u00a0<\/span><\/span><\/li>\n
- All ten vulnerabilities have public exploits available which means these vulnerabilities should be prioritized for patches. Notably, four of these vulnerabilities exist in PHP (PHP < 5.6.6,5.4\/5.5\/5.6).<\/span><\/span><\/li>\n
- CVE-2019-6110, CVE-2019-6111, CVE-2018-20685 and CVE-2019-6109 are vulnerabilities available in OpenSSH and they are being targeted by Ryuk to mount ransomware attacks. Our investigations reveal that APT groups such as Wizard Spider and FIN6 use these CVEs to launch deadly attacks.\u00a0<\/span><\/span><\/li>\n
- These four CVEs have been categorized under Common Weakness Enumeration (CWE) such as CWE-20, CWE-451, CWE-838, CWE-22, CWE-863, CWE-116.\u00a0\u00a0<\/span><\/span><\/li>\n<\/ul>\n
Non-existent Domain<\/span><\/h2>\n
The following IP address 178.128.19.195 was used to mount the attack. When our team investigated this address it was found to be a non-existent domain.<\/span><\/span><\/p>\n
Five CVEs weakened the Sri Lankan Domain<\/span><\/h2>\n
Our investigations further revealed that these five CVEs CVE-2002-0454, CVE-2002-0799, CVE-2000-0091, CVE-2008-1447, CVE-1999-0822 were found in the products (Qualcomm QPopper 4.0, Youngzsoft CMailServer 3.30\/4.0, Inter7 vpopmail (vchkpw) 3.4.11, BIND 9.4.1-9.4.2, Qualcomm qpopper 3.0\/3.0 b20) \u00a0used by the Domain. <\/span><\/span><\/p>\n
Here is a small analysis of these products –<\/span><\/span><\/p>\n
\n
- Three out of five CVEs are RCE type exploits (CVE-2002-0799, CVE-2000-0091, CVE-1999-0822).<\/span><\/span><\/li>\n
- Public exploits for all five CVEs already exist.<\/span><\/span><\/li>\n
- CVEs with RCE exploit were found in products such as Youngzsoft CMailServer 3.30\/4.0, Inter7 vpopmail (vchkpw) 3.4.11 and Qualcomm qpopper 3.0\/3.0 b20<\/span><\/span><\/li>\n<\/ul>\n