March 9, 2022

During the second week of December 2021, the three media websites ABS-CBN (11 December), Rappler (15 December) and Verafiles (16 December) were targeted by Denial of Service attacks. Following these initial attacks, hundreds of attacks have targeted other media and human rights groups, such as Karapatan, Bulatlat and Altermidya.

This report, a result of the analysis of dozen of attacks during the past three months, presents the attack signatures and the technologies used to carry out the attacks. The report points to actors that are likely to be involved in the attacks, and those who support the attacks.

Table of Contents

ATTACK SIGNATURES

The attacks against the sites had some distinctive signatures. Six attack signatures are listed and explained in this report, in order to help other victims to detect and mitigate future attacks.

Signature 1: Referrer Spam Headers

The botnet uses several thousands of domains classified as “referrer spam” in the floods. More information about Spam Bombing can be found here. The community of Matomo Analytics (an open source web analytics platform) has been collecting many of these domains and a list can be found here. It is unclear why those specific referrers where used in the attack, but our qualified guesses are:

Botnet programmer can take advantage of Denial of Service attacks to amplify its SEO strategy
Botnet programmer just obtained a random list of referrers for its tool

Signature 2: CCAttack query strings

The floods also contained query strings following the pattern:

CHAR + INT + CHAR + INT + CHAR + CHAR + INT + CHAR + INT + CHAR

Qurium could classify the pattern as sourced from Challenge Collapsar python code. This pattern has been present in other attacks against Philippine targets, such as the attack against Karapatan, described in the report “Human rights alliance ‘Karapatan’ under long lasting DDoS attack”.

Both GET and HEAD methods were used in the attacks.

CCAttack Generated Query Strings + Spam Referral Floods

Signature 3: Use of DAVOSET Execution Tool

The attacks contained signatures that suggested the use of DAVOSET, a tool used to abuse other websites to make them the source of the attack. DAVOSET includes a list of websites that can be abused to bounce web requests towards the victims. The analysis of traffic logs from the attacks, leaked a few malformed botnet commands

- http://about42.nl/www/showheaders.php;POST;about42.nl.txtwww.rappler.com/nation/senate-approves-bill-allowing-foreign-ownership-public-services/
- http://browsershots.org;POST;browsershots.org.txtwww.rappler.com/nation/senate-approves-bill-allowing-foreign-ownership-public-services/
- http://ping-admin.ru/index.sema;POST;ping-admin.ru.txtwww.rappler.com/nation/senate-approves-bill-allowing-foreign-ownership-public-services/

DAVOSET source code (floods via other websites functionality)

Linking all attacks

On December 17, Qurium compared a sample of 2.5 million attack log lines (2021-12-15 10:11 – 10:40 AM UTC) against Rappler with digital forensics information from the attack against Verafiles, and could quickly conclude that the attack infrastructure was common for both attacks (i.e. the botnet used for both attacks was the same).

Qurium also compared the attack patterns against 250,000 events recorded by the Web Application Firewall (WAF) of ABS-CBN recorded the 11th of December 2021 (2:00-4:00 UTC). The patterns reproduce the DAVOSET functionality. In this case, the attacker targeted the Article “Journalists Maria Ressa, Dmitry Muratov receive Nobel Peace Prize“


hxxp://www.zahnarzt-buhl.de/praxis/plugins/content/plugin_googlemap2_proxy.php?url=news.abs-cbn.com/spotlight/12/10/21/ressa-muratov-receive-nobel-peace-prize

Reviewing 8 TB of attack data

In the attack against Rappler, we identified close to 14,000 IP addresses flooding the website. The majority of the IP addresses were open proxies in USA, China, Germany, Indonesia, Russia and Vietnam.

After reviewing close to 38,000 log files with 8TB of data from rappler.com, we extracted more than 2,500 “spam referrer” domains. The majority of these domains were already present in the Matomo list.

A new series of Denial of Services against Rappler took place the 23rd of December 2021. The attacks were claimed by “Abdul” from “Pinoy Vendetta“.

The 23rd of December attacks against Rappler was claimed by Pinoy Vendetta to been carried out by “Abdul”.

An analysis of 400 GB of compressed logs of the attack against Rapper showed around 2,000 IP addresses that launched a Denial of Service against the website. At 8 AM, the botnet peaked 1 Million requests per second. The top 20 IP addresses of the botnet accounted for 50% of the requests.

The attack included the same signatures that previous attacks with the presence of SEO domains in the referrers of the floods. A new attack vector was present in this new wave, the attacker targeted the xmlrpc.php of the WordPress website in order to bypass the Cache of the site.

The attack lasted for 3 hours and flooded the website with a peak traffic of 1 Million requests per second.

Signature 4: A Fake Website

DDoS was not the only technique used by the group. During the middle of November 2021, Pinoy Vendetta developed a website with the domain https://cpp-npa-ndfp[.]org, intending to impersonate CPP-NPA (Communist Party of the Philippines–New People’s Army) and NDFP (National Democratic Front of the Philippines). The website was hidden inside github.com (https://github[.]com/xsnex4nj57z6u36j85e048sxsqogms8rxs3n286/).

The fake website was announced by Pinoy Vendetta.

The fake website was announced three weeks later in Facebook (7th of December) by Pinoy Vendetta.

Signature 5: SST-DESTROYER

During the 29 and 30th of January 2022, two more waves of attacks were launched against Rappler. The attacker used code from a github project to launch the floods. Analysis of the User-Agents in the flood matches the logic of the obfuscated code of the script (function Send() encoding of the “User-Agent”).

The floods targeted the backend login page (wp-login.php) of the newspaper using GET, POST, and HEAD HTTP methods. To launch the attack, open proxies where abused. The flooder engine was based on Node.js.

While the code of the attacker points to a stress testing service (SST-DESTROYER), we can not confirm if the attacker used the service or just used the code available online.

Signature 6: All flood

One more series of Denial of Service attacks against Altermidya and Bulatlat where launched in the early morning of the 9th of February 2022 (Manila time).

After a brief calm period, the sixth wave of attacks against the sites started the 10th of February (0:50 UTC).

Just like previous attacks, the Denial of Service attacks were claimed by Pinoy Vendetta in Facebook a few hours after the first wave of attacks. Attack signatures matched the patterns found in previous attacks against Rappler.

PINOY VENDETTA

Since November 2021, Pinoy Vendetta is actively promoting online resources to conduct Denial of Service attacks via their Facebook account. The posts focus on Pay-as-you-go services. “Pay Access” to many of the CNC (Command and Control) of the botnets is frequently advertised in TikTok and Instagram. Price offers takes place on discussion forums inside Telegram and Discord Channels.

Promoting Atrac Botnet (Used against Myra.sh)

Other botnets advertised in the Facebook group include Superior, Joker XV, Velocity, Slovokia2 Reloaded, Slaykingz, Medusa, Myra, etc.

Pinoy Vendetta (how to flood websites using Scapy Python and Open Proxies)

Their methods

The DDoS techniques used by Pinoy Vendetta are different application layer floods methods mostly routed by open proxies. The most common techniques observed are:

GET floods using 25 random characters variables
Floods using “null” as User Agent
Floods with spam SEO referrers (unclear if the referrers are appended by the proxies they abuse) (*) At the time of releasing this report, we know that the referrers were included in the PV_RAW code of Pinoy Vendetta.
Floods against common WordPress endpoints: wp-links-opml, wp-admin, etc.
Floods abusing third party web services

Despite their claims, none of the methods used by Pinoy Vendetta are developed by themselves, but are instead heavily based on known DDoS tools, such as MHDDOS, CC-Attack, DAVOSET, SST Destroyer, among others.

Their victims

The victims of the cyber attacks include:

Media sites: Rappler, Altermidya, Bulatlat, CNN, ABN, GMA Network, Bulgar Online, TV5
Underground groups: CPP, NPA, NDF
Services: Stackoverflow, Twitch.tv
Bounty Companies/Hacking sites: Hackerone, Hackthebox, Bugcrowd
Porn websites: Brazzers, Youjizz

Qurium has not been able to confirm that all victims claimed by Pinoy Vendetta have received attacks. It remains unclear if Pinoy Vendetta takes the opportunity to record videos when websites are down for other reasons. For example, it is unlikely that a large website like Stackoverflow can be disrupted by the Denial of Service techniques we have analyzed.

Their supporters

Lorraine Maire Badoy, a member of the “National Task Force to End the Local Communist Armed Conflict” (NTF-ELCAC) and Undersecretary at Presidential Communications (Government of the Philippines has openly showed support to Pinoy Vendetta and the use of Denial of Service attacks.

According to one of her statements, Pinoy Vendetta are computer geniuses.

Their members

The only group (1) that has claimed first hand knowledge of the techniques used in the attack is Pinoy Vendetta. This group recently forked a new group, namely PV The Ordinary Citizens. Pinoy Vendetta has since May 2021 been conducting and claiming attribution of Denial of Service attacks against several websites including CPP, NDFP, josemariasison, Gordon (Defacement) and others.

Many of the early members of Pinoy Vendetta (2012-2015) are working collecting “bug bounties”. By using the “Bug bounty” excuse, the members conduct heavy pen tests on sites. Two of such bug bounty communities are “Hackerone” and “Bugcrowd“.

During 2012-2013 (4ntipatika, Hitman), several domain names associated to the group where hosted in the same IP address 173{.}254.49.194.

A visible face of the hacker community is Clifford Trigo that works as Application Security Engineer at Bugcrowd and runs the news portal Pinoy Hack News. The news portal is frequently used to announce the attacks of Anonymous Philippines and related groups.

Pinoy Vendetta has been signing its messages as “Crtc4L” until early 2021. With the increase of Denial of Service attacks messages stopped having any personal signatures. Crtlc4L stopped signing messages when the political attacks started.

Crtc4L also uses the nick names of Dr3inuS or Shin Takata

WHO IS SHIN TAKATA / CRTC4L?

Shin Takata (Crtc4L), that works actively to market products inside Facebook and other social media networks has been actively conducting Denial of Service attacks and reporting malicious phishing websites for years. While he presents himself as a “white hacker” or “ethical hacker”, his promotion of methods such as Denial of Service attacks is highly questionable.

4tt4ck3r0n3 aka Shin Takata @ Following Joker Botnet Twitter

Shin Takata, aka Crtc4l marketing products in Facebook

Shin Takata in PH Anonymous Discord Group

Shin Takata avatar (shint4k4t4, yoshimura192)

Messages signed with Crtc4l until January 2021

Shin Takata uses several online nicknames, including Dreinus/Dr3inuS, Crtc4l, Pure Filipino/4tt4ck3r0n3, Kali Shin, shinigami192, Yoshimura192, shint4k4t4, etc. Historical data of registered domain names reveal that Shin registered in his name: shin-strategy{.}xyz, crtc4l{.}com or myadshere{.}science between 2015 and 2017.

The domains were used in Facebook and other social media platforms to advertise his skills.

Online social media activity links Shin with Alecc Carlo L. Bertulfo (22 July 1986), a 35 year old former Information Technology student of the Davao Merchant Marine Academy (DMMA) College Of Southern Philippines.

During the past weeks, Qurium has tried to reach Alecc Bertulfo a number of times, asking for an explanation. To our surprise, Bertulfo never returned our emails. However, after receiving our emails, he immediately deleted all evidence in his multiple social media accounts (Facebook, Github, Instagram). Accounts that have been deleted includes his Shin Takata, Ctrl4l pages and Pinoy Vendetta Facebook Groups. Luckily we made backup copies.

The following resources have been deleted once we mailed Bertulfo:

hxxps://www.facebook.com/shintakata4124/ (DELETED)
hxxps://www.facebook.com/Crtc4L/ (DELETED)
hxxps://www.facebook.com/PinoyVendetta/ (DELETED)
hxxps://www.facebook.com/PinoyVendetta.Official/ (DELETED)
hxxps://www.facebook.com/pv.theordinarycitizens/ (DELETED)
hxxps://github.com/shinTakata (DELETED)
hxxps://github.com/ChakriWongsuwon (RENAMED ACCOUNT) [1]
hxxps://twitter.com/t4kish4m4 (ACTIVE)
hxxps://www.twitter.com/Puro_filipino (ACTIVE)
hxxps://www.facebook.com/pinoycyberddos (DELETED)
hxxps://www.instagram.com/kali_shin/ (DELETED POSTS)
hxxps://www.instagram.com/shint4k4t4/ (DELETED)
hxxps://www.instagram.com/ch4krii/ (RENAMED)
hxxps://www.facebook.com/PV.Dr3inuS.Official/ (DELETED)
hxxps://www.twitter.com/Puro_Filipino (ACTIVE)
hxxps://www.facebook.com/CyberShinGaming (RE-ACTIVATED – RENAMED)
hxxps://www.facebook.com/newlocalhost (RENAMED)
hxxps://www.pinterest.com/yoshimura192/ (ACTIVE)
hxxps://www.tiktok.com/@chakriwongsuwon (RENAMED ACCOUNT)
hxxps://www.facebook.com/chakrii2789/ (NEW ACCOUNT)
hxxps://www.pinterest.com/shinrei192/
hxxps://www.facebook.com/CuteGirlsOfPhilippines (UNREACHABLE)
hxxps://verycutegirlsinjapan.wordpress.com/ (ACTIVE)
hxxps://www.flickr.com/photos/cutegirlsofjapan/ (ACTIVE)
hxxps://www.facebook.com/ddos.PHU.edu.ph/ (DELETED)
hxxps://www.facebook.com/pv.theordinarycitizens/ (DELETED)

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.