The Sri Lanka Bureau of Foreign Employment Hack: More than just a Hack? - Yohan Perera

The month of April has been a busy time for both cybercriminals and infosec professionals alike. In the 25 days, that went by, PayHere was hacked while #OpSriLanka knocked several government websites offline. The latest incident involves LulzSecSL (A local offshoot of LulzSec?) breaking into an online database maintained by the SLBFE or the Sri Lanka Bureau of Foreign Employment and making the stolen information publicly available for download. (source: The Morning).

Although the hack was an act of retaliation against the Rajapakse administration and a token of support towards #GoHomeGota2022 according to the report by The Morning I cannot help but believe the incident reveals a much deeper conspiracy. It seems contractors responsible for developing and deploying the database in question reduced its security deliberately. I wish I am wrong, but I can’t rule out the possibility because we aren’t new to such data scandals (Ex: The NRMA database wipeout). Keep on reading to learn more.

The method used to hack SLBFE

According to Asela Waidyalankara, a Cyber Security Expert, the attackers used “SQL Injection” (Using a piece of SQL code to manipulate a database and gain access to potentially valuable information) to access the database. As far as I know, known SQL Injection vulnerabilities and other non-zero-day bugs can be addressed at the auditing phase of the Software Development Life Cycle. Did the developers avoid implementing these safeguards deliberately to break in and harvest the data later? Only an investigation will tell.

Passwords stored in Plain Text

While checking the data dump I downloaded I was shocked to discover the screenshot of a database table containing employee login passwords in plain text. My initial thought was the developers were clumsy, but it occurred to me later. Maybe they weren’t clumsy after all.

A full-screen screenshot of a computer monitor displaying a database interface, likely phpMyAdmin or a similar tool. The left sidebar shows "http://www.slbfe.lk" with database names like "information_schema," "mysql," "performance_schema," and "slbfe" (which contains "11 tables"). The main content area shows a table labeled "tblStaff" with columns such as "fldStaffAccessLevel," "fldStaffAccessStatus," "fldStaffEmail," "fldStaffId," and "fldStaffPassword." The "fldStaffPassword" column reveals several plaintext passwords, including "all9@9f#85," "tLE7@pr#2005," "cham@1973," "gani@1970," "xxxxxy," "anne#123@201520," and "testing@2015#2220." A large, semi-transparent watermark "LulzSec.sl" is visible across the middle of the screen. The very top of the screen shows browser tabs including "Database," "Admin page," "Read file," "Web shell," "SQL shell," "Brute force," "Encoding," and "Batch scan." — Passwords Stored in Plain Text Format

Maybe they decided to maintain a backdoor which would have been useless if those passwords were encrypted. It’s a vague assumption but a responsible developer shall not design a database to store passwords in plain text unless he has an ulterior motive.

Source Code not Audited at All

Even if the developers were lazy to design the database-driven application to encrypt the passwords before storing them in the database, we can’t dismiss the lack of a source code audit as laziness. Detecting and correcting mistakes in the code is one of the many purposes of an audit. The plain text passwords indicate the source code was not audited at all. An audit could have helped the SLBFE identify the SQL Injection vulnerabilities injection attacks and the presence of a backdoor if there’s one. Maybe the reason why there was no audit.

Wrap Up

Even if there is no conspiracy, the lack of code-level protection against SQL Injection Attacks, Passwords being stored in Plain Text format, and the lack of a Source Code Audit is a recipe for disaster. The incident indicates we cannot trust the government with our personally identifiable information. Can you imagine the treasure trove of information a hacker could find if he breaks into a production server operated by the Department of Immigration and Emigration (Passport Office)?

A screenshot of a computer monitor displays a text file from "MEGA" in a web browser, showing a data leak titled "SRI LANKA BUREAU OF FOREIGN EMPLOYMENT – DATA LEAK by LulzSec.sl." The file contains columns for "Agency," "Address," "Telephone," "Fax," and "Email," with various entries listed below. Large red rectangles obscure sensitive information in the telephone and email columns. The macOS menu bar is visible at the top, showing "Microsoft Edge" and other applications, along with the date "Mon 25 Apr 7:21 PM." The macOS dock is visible at the bottom. — Details of Manpower Recruitment Agencies Registered with the SLBFE

Among the dumped data were also the details (email addresses, telephone numbers, etc.) of the Manpower Recruitment Agencies registered with the SLBFE. These email addresses can be used for large-scale spamming and phishing campaigns undermining the safety of many. Contact numbers can be used for tricking smartphone users to download malware into their devices through SMS or WhatsApp Texts. So, does the hack indicate the presence of a larger conspiracy? Time alone can confirm.

If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.