10 March 2020
Starting the 28th of February, Qurium has monitored and mitigated several forms of cyberattacks against Premium Times Nigeria.
The first attacks aimed to find vulnerabilities in the website. The attacker performed vulnerability scans using Nikto and Acunetix during the 28th and 29th of February. Starting from March 1st, the attacker launched Denial of Service attacks aiming to take the website down.
On February 29th, it was made public that the Department of State Services (DSS) had launched a manhunt for Samuel Ogundipe, an investigative journalist with the online newspaper Premium Times, over a report on the rift between Chief of Staff to President Muhammadu Buhari, Abba Kyari, and National Security Adviser, Babagana Monguno.
On March 1st, the newspaper announced that two men suspected to be officials of the State Security Service attempted to breach the home of Premium Times’ Editor-in-Chief, Musikilu Mojeed, claiming they had a message to deliver to him.
Proxies used to hide the attacker’s location
"39.37.130.12" "28/Feb/2020:17:44:19" "GET" "403" "/ApcCFTKl.j" "403" opinion.premiumtimesng.com" "80" "154.66.33.191" "28/Feb/2020:12:37:34 +0000" "GET" "/?_test1=c:\x5Cwindows\x5Csystem32\x5Ccmd.exe&_test2=/etc/passwd&_test3=|/bin/sh&_test4=(SELECT%20*%20FROM%20nonexistent)%20--&_test5=>/no/such/file&_test6=<script>alert(1)</script> "403" "www..premiumtimesng.com" "193.29.13.215" 29/Feb/2020:16:56:52 +0000" "GET" "/acunetix-wvs-test-for-some-inexistent-file" "294" "blogs.premiumtimesng.com" "39.37.173.215" "29/Feb/2020:17:53:47 +0000" "HEAD" "/" "403" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)""opinion.premiumtimesng.com" "80"
Pen testing from the Federal University of Technology, Akure (FUTA)
During February 28th and 29th, several scans and penetration attempts took place from the network 196.220.135.0/24 that is registered in the name of the Federal University of Technology, Akure (FUTA) Nigeria. FUTA is a top ranking University of technology in Nigeria, offering courses in Cyber Security.
- 196.220.135.2 Performed a WordPress Scan (WPScan)
- 196.220.135.186 Performed a Fuzz Faster pen testing
- 196.220.135.174 Performed manual scans
"196.220.135.2" "29/Feb/2020:06:15:03 +0000" "403" "www.premiumtimesng.com" " "WPScan v3.7.5 (https://wpscan.org/)" "196.220.135.186" "28/Feb/2020:20:10:51" "GET" "/.bundle" "302" "www.premiumtimesng.com" " "Fuzz Faster U Fool v1.0-rc1" "196.220.135.174" "29/Feb/2020:07:43:09" "GET" "/wp-admin/import.php" "200" "www.premiumtimesng.com" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
The 196.220.135.0/24 network is routed by the 196.220.128.0/24 network associated to the Computer Resource Center of FUTA.
What do we know about this network?
The network 196.220.135.0/24 is a part of the bigger network prefix 196.220.128.0/19 announced by ASN provider AS327705 aka Federal University of Technology, Akure (FUTA) . The network is operated by the Computer Resource Center (CRC).
The network of FUTA is very unstable and often goes offline. This can be seen monitoring the BGP stability of the prefix during time. No public services seems to be hosted in the network. Services like mail or websites of the University are hosted abroad.
When analyzing traffic from FUTA visiting Premium Times during the past six months, we found little or no traffic coming from this big network. The few requests coming to our servers were spread across the IP space with very diverse User-Agents and mostly mobile connections.
During the test period of six months, Qurium received less than 16.000 requests coming from the 8192 IPs of the network 196.220.128.0/19 and a few hundred requests from the attacker network 196.220.135.0/24. The fact that the attacker used the IP address 196.220.135.2 to run the scans is surprising, as we have never received traffic from lower IPs of the network.
In order to understand the normal office hours of the University, we graphed all the requests and their timestamps. The University seems to start its activities at 6:00 AM UTC and the traffic is reduced around 17:00-18:00 PM. During the test period, only 15% of the FUTA origin traffic targeting Qurium’s infrastructure takes place between 20:00 PM and midnight. More than 95% of this traffic is from Mobile phones.
What was the attacker doing from the University infrastructure at 20:00 PM running Kali Linux?
Desktop traffic (mostly Windows NT) represents less than 15% of the visits and very little or no traffic has been recorded outside of the 6 AM – 18 PM time range.
The attacker worked during two days from 6 AM to 21 PM trying to break into Premium Times’ website.
Attacker also uses 9mobile
The attacker also used the same tools from 9mobile/EMTS mobile network. Using the signature of the tool used by the attacker, it can be seen how the attacker continued the attacks using a mobile connection around 20:20 PM GMT.
"41.190.31.91" "28/Feb/2020:20:21:16 +0000" "GET" "/deploy.rake" "302" "www.premiumtimesng.com" "Fuzz Faster U Fool v1.0-rc1" "41.190.3.241" "29/Feb/2020:08:27:54 +0000" "GET" "/nice%20ports%2C/Tri%6Eity.txt%2ebak"
The DDoS attacks start
On March 1st, several waves of attacks were launched against the newspapers’ website.
9:28 AM Attacker launches Chargen Amplification attack against website.
9:43 AM Attacker floods Qurium infrastructure trying to bypass our CDN.
11:40 AM Attacker launches an application layer attack against the CDN, with methods GET Flood, POST Flood, GET Random URL Flood.
16:20 PM Attacker launches another application layer attack against the CDN.
18:00 PM Attacker launches an attack against Qurium’s DNS servers
19:46 PM Attacker launches a second attack against Qurium’s DNS servers
20:50 PM Attacker launches NTP Amp against website.
3rd March – 11:05 AM GET flood
The attacker checks the website availability using “Check-Host” service.
FUTA acknowledges the attack
On March 5th, Qurium reached out to FUTA to inform them about the attacks. A mail was sent to Oronti Adewale (Senior Network Engineer), Adegbenro Adebanjo (Spokesman, Communications) and to the CRC Director and Vice Chancellor of the University. No response was received.
On March 6th (9:36 AM) the same email was sent to Professor Boniface Kayode Alese from the Department of Computer Science. Prof. Alesa is a teacher in Cybersecurity and frequent speaker in the area of cybercrime.
The same day (19:54 PM), Prof. Alese confirmed that a “male student” performed the pen testing attacks for pleasure and asked for more information about the Denial of Service Attacks. Logs were forwarded with evidence of pen testing carried out from the University infrastructure. Alese has since then refused to provide more details about the student and how he was identified so quickly.
Hi, Our investigation so far confirms that one of our students carried out a Pen Testing but we do not have any evidence yet that he carried out DOS attack. During investigation, he told us that he did just for pleasure. This we can investigate further if we have the complete log from you but going forward, may I know your relationship with Premium Times and what you actually expect from the institution? Thanks
Mails to FUTA were sent on March 7th and 10th asking for further details about the attacker and how he was identified. The University stopped answering our requests for further clarifications.
Questions to be answered
Despite our efforts to better understand who attacked Premium Times Nigeria and the motivations behind the attacks, there are still some open questions:
- Who was running “Kali Linux” and other pen testing tools during the Friday and Saturday 28 and 29th of February 2020?
- Who had access to the University network infrastructure at 20 PM on a Saturday and from which location to perform the attacks?
- Why the “student” choose to attack Premium Times Nigeria for “pleasure”?
- How the University could identity the attacker in less than 12h after our mails were sent?
- Why the representatives of FUTA refused to provide further details or totally ignored our mails?