Attacks against media in the Philippines continue


June 22, 2021 (Updated: June 29, 2021)

Note: This forensic report is a LIVE DOCUMENT, new findings are added to the report constantly. We are still processing and analyzing the attack data recorded.

During the past month, Qurium has received brief but frequent denial attacks against the Philippine alternative media outlets Bulatlat and Altermidya, as well as the human rights group Karapatan.

This forensic report summarizes our findings and has been updated since the release of the first version to include the new findings.

Summary of attacks

This section includes a brief summary of some of the attacks recorded during May – June 2021.

  • 2021/05/17 02:24 HTTP POST flood against Bulatlat
  • 2021/05/17 02:40 HTTP GET flood against Karapatan

These two attacks had specific signatures including the “SSL negotiation fingerprint”, the type of payload and that the service “check-host” was used by the attacker to verify if the attacks were successful.

  • 2021/05/18 06:06 Using a server from virmach.com 23.95.9{.}155, the attacker floods Altermidya with requests using Apache Benchmark tool (ApacheBench/2.3)
  • 2021/05/18 07:33 A machine from the Department of Science and Technology (PH) with IP address 202.90.137{.}42 launches a vulnerability scan against Bulatlat. The sequence of the scan reassembles the use of the tool “Sn1per” from Xerosecurity.
Image
Sample of the logs of the Pentest
  • The IP seems to belong to the The Philippine Research, Education, and Government Information Network.
Sophos Certificate C4307BK7HWCPJEB signed by hardware supplier “IP Solutions Inc”

A close look into the IP reveals that a Sophos firewall is behind the IP address. The appliance has a Certificate in the name of IP-Solutions Inc. The company (Lorna V. Zacate) signing the digital certificates of the appliances is a supplier of hardware and services to the Governmental Institutions in the Philippines.

While searching for Sophos Firewall machines in the same network, we found another unit in the next IP 202.90.137{.}43, also with digital certificate in the name of IP Solutions Inc. This box also has a service in port 3400 with the details:

acepcionecjr{@}army.mil.ph Taguig Red Server

The RED Server seems to refer to Sophos XG Technology RED, Remote Ethernet Device (RED) is a small network appliance that allows to build tunnels and internal networks.

Protocol RED. Port 3400 and TLS

We also found that the Marine Corps of the Philippines have their Scrollout F1 anti-spam mailserver inside of DOST, confirming the idea that military operates inside the IP space assigned to the Department of Science of Technology.

Image
Presence of other military infrastructure in the subnet

The certificate of the “RED” Sophos server provided the following information:

IP: 202.90.137.43
emailAddress = acepcionecjr{@}army.mil.ph 
Country = PH 
Location = Taguig 
Organization = ARMY

Using RiskIQ we searched for the history of certificates of 202.90.137{.}43 and 202.90.137{.}42 and we found that the certificate of the attacker IP “.42” has been seen in another providers.

AS17639 ComClark Network & Technology Corp.|121.58.209.215|
AS9821 Department of Science and Technology|202.90.137.42|
AS6648 Bayan Telecommunications, Inc.|125.212.41.130|
AS17639 ComClark Network & Technology Corp.|121.58.248.18| 

But the most interesting finding was when we did a search for certificates containing the email: acepcionecjr{@}army.mil.ph in Censys.

Another certificate showed up! This one contained the (O)rganization name= OG2-PA

What is OG2-PA?

In the context of the military jargon, OG2 stands for Office of the Assistant Chief of Staff for Intelligence and PA stands for Philippine Army.

Wikipedia Edits

Another interesting finding is that the attacker’s IP address is present in the Edits of the Wikipedia page for “Chief of Army (Philippines)” and many other pages related to the Army.

Image

We could also reconfirm that other IP addresses using the same digital certificate had also make similar edits.

Linking .42 and .43 addresses

During our research we could confirm that (1) both address run similar hardware, Sophos XG and RED tunneling, (2) both boxes have digital certificates of the hardware supplier “IP Solutions Inc” and (3) that their very first certificates were issued 2015-07-31 (Source: RiskIQ)

Attacks continue

  • 2021/05/20 13:05 Karapatan receives a small flood with user-agent AdobeUxTechC4-Async/3.0.12 (win32). The machine 188.63.78{.}119 crawls heavily media from the Philippines.
  • 2021/06/16 06:42 Large flood on Altermidya and Bulatlat from multiple IP addresses. Floods include requests of the type /?u144642756919q213158629662aB2146578135208224622277442H and user agent: null
  • 2021/06/22 22:50 – 2021/06/23 – 03:00 Attacks against Bulatlat and Altermidya for several hours. During the DDOS attacks a pen testing against the sites was conducted.

The attacker launched a “Denial of Service” against bulatlat.com, flooding the site with requests of the type GET /?q=123456789. At the very same time the attacker run “Nikto” to pen test the site. The flood run 1000+ faster that the pen testing script. We have sample down 1/1000 the “Denial of Service” logs to visualize the attack.

Pen testing attack “Nikto” while running DDOS.

Abuse Handling and official reaction

Days before the release of this report, we reached out to ops@pregi.net and denis@asti.dost.gov.ph to request more information about the IP addresses inside DOST-ASTI. Qurium also mailed to “IP Solutions Inc.” as suppliers of the Sophos XG Firewalls for extra information.

The mailbox of Denis F. Villorente, point of contact for Abuse cases (Abuse ASTIPH) bounced as mailbox was full. IP Solutions did not respond to our request for information.

Abuse contact details for the network

[29 June 2021] The public official response that we have read in the media:

  • Rowena Cristina Guevara (DOST-ASTI) told the PNA that addresses were received from the Regional Registry (APNIC) and DOST provides IP space to other Governmental Agencies.
  • That Qurium traced the attack to the IP address does not mean the DOST involvement.
  • DOST-ASTI has not made public which Governmental Agency is behind the IP address.
  • The army spokesman Col. Ramon Zagala stated that the Philippine Army “respects freedom of expression and per policy, will never infringe that freedom”.
  • In a Zoom interview for ABS-CBN, DOST confirmed that the IP space belongs to an “Agency” which name can not be revealed not to burden DICT investigation.

Our open questions still remain:

  1. Which Organization or Institution operates behind the address 202.90.137{.}42?
  2. Why such organization and their Abuse Handling details are not properly reflected in the APNIC Whois Database or any other public resource to speed up “Network Abuse” resolution?
  3. Who is acepcionecjr @ army.mil.ph?