The Civil Aviation Authority of the Philippines (CAAP; Filipino: Pangasiwaan ng Abyasyon Sibil ng Pilipinas) is the national aviation authority of the Philippines and is responsible for implementing policies on civil aviation to assure safe, economic and efficient air travel. The agency also investigates aviation accidents via its Aircraft Accident Investigation and Inquiry Board. Formerly Air Transportation Office, it is a government-owned and controlled corporation attached to the Department of Transportation for the purpose of policy coordination. (Reference Wikipedia)
The agency just got hacked, and it happened fast. The defacement was perpetrated by “Anonymous-ghost” who looks to be from China due to the Chinese characters present on the deface page, even Google crawled the page too fast or it was there for a longer period.
Screenshot of the defaced page and google search below.
Once the administrators got wind of the defacement, a hasty restoration was made and placed the CAAP website under maintainenace, but they forgot to remove the favicon that the hacker used.
After we found out the incident, Nullforge team passively decided to investigate how the hacker might have gotten access to the site. Here’s our analysis:
- Outdated Joomla CMS v3.6.5 – http://www.caap.gov.ph/administrator/manifests/files/joomla.xml current stable version is v3.8 – (lack or the absence of patch management)
- There is a known zero-day exploit for Joomla CMS v3.6.5 circulating in the wild.
- There were several security violations that was spotted on the CAAP website that can been seen by any security searchers or skilled attackers. – (lack or the absence of vulnerability assessment and penetration testing)
This is not the first defacement incident that happened to CAAP, it was hacked just a month ago, on what vulnerability we don’t know.
As a security researchers the question would be the following:
- How deep was the attack?
- Were there any PII data that were breached?
- Were there any confidential informations that were stolen?
- What are the post-incident procedures the administrators took?
- Did they perform forensics on the affected servers?