DDoS attacks against Salvadoran “Revista Factum” attributed to University infrastructure


March 2020

  • Salvadoran news site under week long DDoS attack for investigating the contradictions and lack of transparency of president Bukele
  • The attack was attributed to a University lecturer in El Salvador

In early October 2019, the independent news site Revista Factum in El Salvador received a series of intrusion attempts and Denial of Service attacks that brought the website down at multiple occasions. This report focuses on confirming the nature of the attacks, and attributing the attacks.

Revista Factum’s report: Universidad de Oriente implicada en ciberataques contra Revista Factum [ESP]


Confirmed Denial of service attacks against Revista Factum

Starting the 13th of October 2019, the backend of Revista Factum’s website started to received DDoS attacks. The website was hosted in PlusPlusHosting.net, which hosts their infrastructure with Handy Networks AS30475, Denver, US. PlusPlusHosting responded to the attacks by filtering out the attack traffic and “null routed” Revista Factum’s IP address. By “null routing” the IP address, the network provider effectively removed the website from the Internet. The sink holing of the website seemed semi-automated by the network carrier that uses Juniper’s Packet Forwarding Engine (PFE) firewall to compute statistics and blackhole the victim IP address when under DDoS attack. For example. a routing message indicating a routing filter was visible in Telia-Sonera looking glass starting October 16th 22:51 PM (16:51 PM) in Salvador

Similarly, we could spot another null-route during the 17th October starting at 17:30 PM (11:30 AM Salvador time).

Traffic analysis of the flooding attack reveals a multi-gigabit UDP amplification composed of multiple amplification vectors:

  1. memcache UDP amp
  2. ntp UDP amp
  3. DNS amp (open resolvers)
  4. LDAP amp
  5. SNMP amp

The attacks were launched during several consecutive days. Once the “null route” ban was removed by the hosting provider, the UDP floodings re-appeared immediately. This behavior suggests that the attacker was launching floodings all the time and did not stop when the site went offline.

Two different types of attacks

By analyzing the access logs from the attacks, Qurium could identified two IP addresses actively pen testing the website from El Salvador.

179{.}51.58.67
167{.}249.23.138

One of the distinctive signatures of the attacks was the use of a security scanner known as Netsparker.

167{.}249.23.138 - - [08/Oct/2019:11:50:27 -0600] "GET /wp-json/contact-form-7/?n3tsp4rke2 HTTP/1.1" 404 147
Traffic peak generated by IP address 167{.}249.23.138 on October 8th.

Linking the address 167{.}249.23.138

The IP address 167{.}249.23.138 is connected to the domain name cds-univo.ddns.net which is linked with the software development company CASS (Central Americas Software Services) from El Salvador.

2018-08-02 14:01:50 -0000, 2019-10-08 04:45:07 -0000,cds-univo.ca2s.com. IN CNAME cds-univo.ddns.net

SSL certificate links to domain *.ca2s.com

The SSL certificate of the IP address 167{.}249.23.138 is connected to the same company:

Company Certificate Chain 7e2ee7e57fe8d8678dc46296da14193f6447aeb6ca7e1ef599965ff7dace76cc OU=Domain Control Validated OU=EssentialSSL Wildcard CN=*.ca2s.com  C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA

  
RDP Server also includes CDS UNIVO

The person performing the pen test seemed to be located in the City of “San Miguel”, working or making use of the infrastructure of CASS. Their webpage states that they have a CDS (Center for Software Development) in association with the University of Oriente (Eastern University) aka UNIVO.

Update 12 March 2020: According to the director of CASS, the central router is not only used by the USAID program’s computers in Quelepa but also by more computers that belong to UNIVO. The attacker did not launch the attacks from USAID funded computers but the University ones. CASS totally condemns his actions.

According to public sources, CASS (Ca2s) is a partner of the USAID employment program “Proyecto para el empleo” .

Where is the attack coming from?

Network traffic analysis of network 167{.}249.23.0/24 suggests that the Centro de Desarrollo de Software might be hosted in the Universidad del Oriente (UNIVO).

inetnum:     45.173.56/22
status:      assigned
aut-num:     N/A
owner:       UNIVERSIDAD DE ORIENTE
ownerid:     SV-UNOR1-LACNIC
responsible: José Liberato Gonzalez Díaz
address:     4a Calle Poniente 705 San Miguel SV, 705, -
address:     3301 - San Miguel - SM
country:     SV
phone:       +503  26683700 [3779]
 

Traffic to the network 167{.}249.23.0/24 is routed by CONECTIVE S.A. DE C.V that provides services in San Miguel to both Universidad de Oriente (UNIVO) and Universidad Capitan General Gerardo Barrios (UGB)

Information found in social media suggests that the CDS (Software Development Center) is located in “Jaguar de Piedra”, the Quelapa Campus of UNIVO.

Facebook posting from Centro de formación UNIVO, Quelepa.

Revista Factum identifies attacker at UNIVO

The attacks against Revista Factum’s website continued after the migration of the site to Qurium’s secure hosting infrastructure (Virtualroad.org). The attacks were successfully mitigated and more forensics evidence was collected.

On October 18th, while the attacks were still ongoing, a team from Revista Factum arranged a visit to the University of Oriente (UNIVO) and met with Pedro Fausto Arieta Vega, rector of the University.

The rector, also lawyer and notarius by profession, promised to investigate the case and asked to José Liberato González Díaz, the head of IT of the University to review Qurium’s forensics report.

A few days after the visit, the UNIVO provided a first official response confirming that after reviewing 425 computers at their premises they had identified the computer involved in the attacks and the person behind it. The UNIVO also interviewed the attacker that acknowledged the use of Netsparker and other tools present in the Linux Distribution “Kali”.

UNIVO provides a “liability waiver”

The University provided a brief document signed by the attacker freeing the University from any liabilities. The “liability waiver” signed by the attacker did not explicitly declare his involvement in the attacks, but only states that the installation of the tools were for personal and technical interest.

According to the documents provided by the University, the attacker’s name is Raúl Antonio Torres Hernández, computer science engineer. The attacker, using the nick names “Red Dragon”, “Battousai” and “Vladimir Basarab” studies at the University of Gerardo Barrios where he also is active as “lecturer”.

Screenshots shared by UNIVO as proof that they had found Netsparker in one of the University’s computers.

Despite the initial positive response of UNIVO to solve the case, still many details have not been confirmed:

  • What were the motivations to perform the attacks?
  • Why did UNIVO not provide digital evidence of their investigation apart from the two screenshots shared?
  • Why didn’t the attacker respond to the requests for clarifications about the attacks?
  • Where is the exact location of the files (Netsparker) that were found?