“Another one bites the dust. Hey I’m gonna get you too, another one bites the dust”, says the lyrics of the most iconic of all Queen songs “Another one bites the dust”. This is also what Phantom Troupe, a group of Filipino cybersecurity enthusiasts, has been telling poorly secured government websites and servers since the start of the pandemic last year.
Phantom Troupe members were greatly concerned when companies and schools started implementing work from home and learn from home schemes. The group noticed that foreign hackers have started exploiting users who have minimal to zero experience in technology, these are the users who were forced to adapt to the new normal because of the pandemic. The group said that the most dangerous thing some companies and many schools have done because of the health crisis was to allow employees to bring home their office computers and use these devices outside the secure office environment. Once these devices are compromised, there is a big possibility that these hackers would have access to corporate networks. Phantom Troupe decided to help schools and companies secure their systems by breaching vulnerabilities and patching them one by one. “We need to do something, we have relatives and friends who are also doing work from home arrangements and doing online learning. The problem with a breach is that everyone in that school or business could be affected. We will be scouring the Philippine internet community from vulnerable systems, one by one.” says Phantom Troupe in a message sent to MB Technews.
Just recently, MB Technews got information that the server of the Bureau of Customs was compromised and a database containing hundreds of thousands of user details is in danger of being downloaded. We got the same message from two Philippine hacking groups informing us that “something big” is about to happen. We waited for their next update and when we got the confirmation, we immediately informed the National Privacy Commission (NPC) about it. The NPC was informed around 7:00 pm of March 11, as of this posting, the Bureau of Customs has done nothing to secure the affected server.
The website of Bureau of Customs for parcel tracking was defaced by multiple groups this week.
Here’s what happened based on our conversation with some of the attackers who contacted us about the incident:
At 2:37 pm on March 11, Thursday, Pinoy Clownsec breached the Bureau of Customs server using an SQL injection attack. SQL Injection is a vulnerability caused by mistakes in coding, a common mistake of inexperienced programmers that permits malicious inputs to a program. The vulnerability was exploited by Clownsec member MikasaX allowing him to send commands to the server that gives him access to the database.
Expecting to see sensitive information, he informed other Pinoy Clownsec members about the breach, and together with another hacker who calls himself Laxx, they discovered more than 365,000 sensitive details about the senders of parcels, including balikbayan boxes, to the Philippines.
Around the same time, Phantom Troupe noticed a “heightened activity” in chat groups frequented by Pinoy security enthusiasts. The group concluded that it has to be the Bureau of Customs because “parcel” “balikbayan box” and “most corrupted agency” were always mentioned in the conversation. Using the same technique, Phantom Troupe got inside the BOC server around 3:05 pm on March 11.
In a now-deleted chat group at around 5:05 pm, Pinoy Clownsec members said that from more than 365,000 user details, the number increased to more than 366,000 thousand, which means that the servers administrators have no idea of the breach yet as it continues to receive updates from users. MikasaX and Laxx also said that the server activity confirms the information is recent and that the server is active.
Phantom Troupe, alarmed by the skills of other hackers within the BOC servers, decided to patch the system thereby booting out or limiting what other hackers could do inside the BOC server. The server according to Phantom Troupe also contains BOC employee details. Members of Clownsec and Phantom Troupe are the ones responsible for the Philippine National Police Academy (PNPA) and the Office of the Solicitor General breach.
While the BOC has done nothing to secure the server, Phantom Troupe patched all the vulnerabilities that could be used to access what’s inside the system. According to Phantom Troupe, other hackers could still get in but they could not do any damage now in the system as it is already protected by their group.
Pinoy Clownsec however said that the vulnerability of the database is still there, what’s disturbing is that the BOC database is writable, MikasaX and Laxx could change any details in the parcel delivery system of the BOC anytime if it is not fixed. What worries MikasaX is the seeming inability of government systems administrators to do their jobs seriously. In the case of the BOC attack, he said that one of the passwords used in the system is “secretlang”, using the brute force method this could be cracked in about 50 minutes. (Go to https://howsecureismypassword.net/ to check how strong is your password.)
Pinoy Clownsec and Phantom Troupe are just two hacking groups that represent other hacking groups in the country. Pinoy Clownsec exposes vulnerabilities by downloading information and defacing websites; Phantom Troupe on the other hand secures servers without permission from owners. Both of them may have good intentions but the way they do it is not legal and could put them to jail for violating the Philippine Cybercrime Prevention Act.
Phantom Troupe gave this warning when asked about the group’s next move: “We will get every weak government server and shame the owners to force them to fix their systems. To government website owners, the question is…are you ready hey are you ready for this? Your server might be the next one to bite the dust.”