Hackers are after anyone seeking Pakistani passport while there is no response from the website’s administrator.
Researchers at information security firm Trustwave have made a startling new discovery about the data breach on a Pakistani government website involving the Scanbox Framework. It is worth noting that the Scanbox is a dangerous payload and this is the same kind of attack that last week Bangladeshi Embassy in Cairo suffered.
In the recent attack, the Pakistani website tracking.dgip.gov[.]pk was compromised, which is a subdomain of the Directorate General of Immigration. This particular website allows applicants of Pakistani passports to track their applications’ status. The infection was first identified on March 2, 2019.
Trustwave’s detected the compromised website as malicious.
According to Trustwave’s blog post, the malicious Scanbox Javascript code has been loaded from a remote location and can obtain all sorts of information about the visitors’ devices along with recording keystrokes that every visitor makes when visiting the website.
Moreover, Trustwave researchers noted that Scanbox also attempts to identify if the visitor has any of the 77 products (including security software, virtualization, and decompression tools) installed on the device. The names of the products are part of its built-in list.
Scanbox is basically a reconnaissance framework discovered in 2014 and commonly used by APT (Advanced persistent threat) groups. It is the same framework that was used by the Stone Panda APT group in 2017 and in 2018 by LuckyMouse.
Usually, it is used in water hole attacks where a website is infected with the Scanbox Framework to obtain information about the site visitors such as their IP addresses, device OS, plugins, User Agent, and referrer. The information is then used to launch well-organized attacks against some potential targets of importance. The framework is evolving tremendously every passing year as far as the extensiveness of the gathered information is concerned.
Surprisingly, the infection stays undetected by a majority of security products. At the moment, Trustwave cannot affirm with surety since when the site was infected with Scanbox but they did confirm that on the day it was identified by their researchers, Scanbox obtained information about 70 different site visitors and login credentials of about one-third of them were also collected.
The company initiated a deeper probe on the site and it was observed on March 7 that the server linked with the framework stopped responding. When the server was active, a VT scan was carried out that revealed low detection rates for the server.
The website administration was informed about the infection but no response was received as yet while the website is still compromised although the server is inactive the infection can access the site. Researchers believe that quite possibly the attackers will again activate the server or replace it with another malicious code.
Although it is unclear who is behind the attack, this is not the first time when Pakistan’s IT infrastructure has made headlines for all the wrong reasons. Last year, it was reported that personal and sensitive data from “almost every Pakistani Bank” was stolen and sold on the dark web.
Update – Monday, 25 March 2019
Trustwave hasn’t received any response from Pakistani authorities, but at the moment the site is down for maintenance with the following message: “Sorry for the inconvenience; Web page is down for some maintenance work at the moment.”
Update: Friday, 7th, June 2019
Trustwave still didn’t receive any response from Pakistani authorities however at the moment the targeted domain (tracking.dgip.gov.pk) was apparently removed from the server. Currently, the domain is displaying “Not Found HTTP Error 404. The requested resource is not found” message.
