30 C
Lagos
Friday, October 30, 2020
- Advertisement -

Cyberattack Against Premium Times Nigeria Attributed To “Student” At The Federal University Of Technology, Akure – Quirium The Media Foundation

Opinion

#EndSARS Protest: A Fundamental Lesson in Democratic Governance – By Bola Ahmed Tinubu

I heavily grieve for those who have lost their lives or been injured during the period of these protests. My deepest sympathies...

#EndSARS Protests: Nigeria’s President Could Have Prevented Escalation of Violence but Poured Oil on the Fire Through His Silence – By Chidi Anselm Odinkalu...

Located in the central regions of Nigeria’s Delta State, Ughelli is a sleepy city in the Western Niger Delta and the unlikely...

We Must Get Children Back to Learning – But Business As Usual is Not an Option By Jutta Urpilainen and Henrietta Fore

A global joint op-ed by the EU and UNICEF on education for children “One child, one teacher, one book,...

Subjecting Anti-SARS Agitation to Political Interpretation is Jejune Partisan Stimulus By Chris Okotie

Chairman Mao once posited that if the people no longer fear your power, it is because another power is on its way....

March 10, 2020

Starting the 28th of February, Qurium has monitored and mitigated several forms of cyberattacks against Premium Times Nigeria.

The first attacks aimed to find vulnerabilities in the website. The attacker performed vulnerability scans using Nikto and Acunetix during the 28th and 29th of February. Starting from March 1st, the attacker launched Denial of Service attacks aiming to take the website down.

On February 29th, it was made public that the Department of State Services (DSS) had launched a manhunt for Samuel Ogundipe, an investigative journalist with the online newspaper Premium Times, over a report on the rift between Chief of Staff to President Muhammadu Buhari, Abba Kyari, and National Security Adviser, Babagana Monguno.

On March 1st, the newspaper announced that two men suspected to be officials of the State Security Service attempted to breach the home of Premium Times’ Editor-in-Chief, Musikilu Mojeed, claiming they had a message to deliver to him.

Proxies used to hide the attacker’s location

"39.37.130.12" "28/Feb/2020:17:44:19"  "GET" "403" "/ApcCFTKl.j" "403"  opinion.premiumtimesng.com" "80" 

"154.66.33.191" "28/Feb/2020:12:37:34 +0000"  "GET" "/?_test1=c:\x5Cwindows\x5Csystem32\x5Ccmd.exe&_test2=/etc/passwd&_test3=|/bin/sh&_test4=(SELECT%20*%20FROM%20nonexistent)%20--&_test5=>/no/such/file&_test6=<script>alert(1)</script> "403" "www..premiumtimesng.com"

"193.29.13.215"   29/Feb/2020:16:56:52 +0000" "GET" "/acunetix-wvs-test-for-some-inexistent-file" "294" "blogs.premiumtimesng.com"

"39.37.173.215" "29/Feb/2020:17:53:47 +0000" "HEAD" "/" "403" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)""opinion.premiumtimesng.com" "80" 

Pen testing from the Federal University of Technology, Akure (FUTA)

During February 28th and 29th, several scans and penetration attempts took place from the network 196.220.135.0/24 that is registered in the name of the Federal University of Technology, Akure (FUTA) Nigeria. FUTA is a top ranking University of technology in Nigeria, offering courses in Cyber Security.

  • 196.220.135.2 Performed a WordPress Scan (WPScan)
  • 196.220.135.186 Performed a Fuzz Faster pen testing
  • 196.220.135.174 Performed manual scans
"196.220.135.2" "29/Feb/2020:06:15:03 +0000" "403"  "www.premiumtimesng.com" " "WPScan v3.7.5 (https://wpscan.org/)"

"196.220.135.186" "28/Feb/2020:20:10:51" "GET" "/.bundle" "302"  "www.premiumtimesng.com" " "Fuzz Faster U Fool v1.0-rc1"

"196.220.135.174" "29/Feb/2020:07:43:09" "GET" "/wp-admin/import.php" "200" "www.premiumtimesng.com" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"

The 196.220.135.0/24 network is routed by the 196.220.128.0/24 network associated to the Computer Resource Center of FUTA.

The 196.220.135.0/24 network is routed by the 196.220.128.0/24 network associated to the Computer Resource Center of FUTA.

What do we know about this network?

The network 196.220.135.0/24 is a part of the bigger network prefix 196.220.128.0/19 announced by ASN provider AS327705 aka Federal University of Technology, Akure (FUTA) . The network is operated by the Computer Resource Center (CRC).

The network of FUTA is very unstable and often goes offline. This can be seen monitoring the BGP stability of the prefix during time. No public services seems to be hosted in the network. Services like mail or websites of the University are hosted abroad.

When analyzing traffic from FUTA visiting Premium Times during the past six months, we found little or no traffic coming from this big network. The few requests coming to our servers were spread across the IP space with very diverse User-Agents and mostly mobile connections.

During the test period of six months, Qurium received less than 16.000 requests coming from the 8192 IPs of the network 196.220.128.0/19 and a few hundred requests from the attacker network 196.220.135.0/24. The fact that the attacker used the IP address 196.220.135.2 to run the scans is surprising, as we have never received traffic from lower IPs of the network.

In order to understand the normal office hours of the University, we graphed all the requests and their timestamps. The University seems to start its activities at 6:00 AM UTC and the traffic is reduced around 17:00-18:00 PM. During the test period, only 15% of the FUTA origin traffic targeting Qurium’s infrastructure takes place between 20:00 PM and midnight. More than 95% of this traffic is from Mobile phones.

What was the attacker doing from the University infrastructure at 20:00 PM running Kali Linux?

Desktop traffic (mostly Windows NT) represents less than 15% of the visits and very little or no traffic has been recorded outside of the 6 AM – 18 PM time range.

The attacker worked during two days from 6 AM to 21 PM trying to break into Premium Times’ website.

Attacker also uses 9mobile

The attacker also used the same tools from 9mobile/EMTS mobile network. Using the signature of the tool used by the attacker, it can be seen how the attacker continued the attacks using a mobile connection around 20:20 PM GMT.

"41.190.31.91" "28/Feb/2020:20:21:16 +0000" "GET" "/deploy.rake" "302" "www.premiumtimesng.com" "Fuzz Faster U Fool v1.0-rc1" 

"41.190.3.241" "29/Feb/2020:08:27:54 +0000" "GET" "/nice%20ports%2C/Tri%6Eity.txt%2ebak" 

The DDoS attacks start

On March 1st, several waves of attacks were launched against the newspapers’ website.

9:28 AM Attacker launches Chargen Amplification attack against website.

9:43 AM Attacker floods Qurium infrastructure trying to bypass our CDN.

11:40 AM Attacker launches an application layer attack against the CDN, with methods GET Flood, POST Flood, GET Random URL Flood.

16:20 PM Attacker launches another application layer attack against the CDN.

18:00 PM Attacker launches an attack against Qurium’s DNS servers

19:46 PM Attacker launches a second attack against Qurium’s DNS servers

20:50 PM Attacker launches NTP Amp against website.

3rd March – 11:05 AM GET flood

The attacker checks the website availability using “Check-Host” service.

FUTA acknowledges the attack

On March 5th, Qurium reached out to FUTA to inform them about the attacks. A mail was sent to Oronti Adewale (Senior Network Engineer), Adegbenro Adebanjo (Spokesman, Communications) and to the CRC Director and Vice Chancellor of the University. No response was received.

On March 6th (9:36 AM) the same email was sent to Professor Boniface Kayode Alese from the Department of Computer Science. Prof. Alesa is a teacher in Cybersecurity and frequent speaker in the area of cybercrime.

The same day (19:54 PM), Prof. Alese confirmed that a “male student” performed the pen testing attacks for pleasure and asked for more information about the Denial of Service Attacks. Logs were forwarded with evidence of pen testing carried out from the University infrastructure. Alese has since then refused to provide more details about the student and how he was identified so quickly.

Hi, Our investigation so far confirms that one of our students carried out a Pen Testing but we do not have any evidence yet that he carried out DOS attack. During investigation, he told us that he did just for pleasure. This we can investigate further if we have the complete log from you but going forward, may I know your relationship with Premium Times and what you actually expect from the institution? Thanks

Mails to FUTA were sent on March 7th and 10th asking for further details about the attacker and how he was identified. The University stopped answering our requests for further clarifications.

Questions to be answered

Despite our efforts to better understand who attacked Premium Times Nigeria and the motivations behind the attacks, there are still some open questions:

  • Who was running “Kali Linux” and other pen testing tools during the Friday and Saturday 28 and 29th of February 2020?
  • Who had access to the University network infrastructure at 20 PM on a Saturday and from which location to perform the attacks?
  • Why the “student” choose to attack Premium Times Nigeria for “pleasure”?
  • How the University could identity the attacker in less than 12h after our mails were sent?
  • Why the representatives of FUTA refused to provide further details or totally ignored our mails?
- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -

Business Profiles

Theresa Ekong

Theresa Ekong is the Acting Head of Compliance at Providus Bank. She has over 18 years industry experience cutting across banking Operations,...

Mark Oguh

Mark has 22 years experience in the Banking industry covering Operations, Audit and Financial Control. He is also a...

Aina Amah

Aina Amah is a graduate of Economics from the University of Lagos and an MBA from the University of Nicosia, Cyprus. She...

Uyi Osagie

Uyi Osagie is the Chief Financial Officer of Allianz Nigeria. He joined Allianz as Financial Controller from 2014 and rose through the...

Usen Udoh

Usen Udoh is the Group Chief Human Resources Officer of the Dangote Group where he oversees a team of busines unit human...