Financial Terrorism Series
28 Aug 2021
Decoding the FBR Hack Federal Board of Revenue, Pakistan
Please contact EUNOMAIT at [email protected] for more information and clarification about this report
• According to Pakistani Media, Federal Board of
Revenue’s (FBR) reported a Cyber Attack on FBR
Data Centre on 13/14th August, causing a data
center down time for more than 72 hours.
• FBR restored its tax-related functions (PRAL) on
16th August, however hackers put the FBR’s data
on sale on a Darknet Russian forum for $30,000.
• In June 2021, World Bank Implementation
Status and Results Report (P165982) had
highlighted the issues related to obsolete ICT
equipment, legacy software and lack of resilient
cloud infrastructure.
• As per FBR’s Technical Assessment about the
incident, the hackers intruded in the FBR system
through Microsoft Hyper-V Vulnerability, CVE-
2021-28476, allegedly unregistered/unlicensed
servers.
• Multiple, spearphising emails from spoofed
Government domains with malicious dropper
malware were sent to FBR officials, thus exploiting
the unpatched Hyper-V infrastructure.
LICENSING / PIRACY ISSUE
FBR has further clarified that in year 2019, issue of
VMware licensing was raised by US government,
which was addressed by procuring the requisite
licenses after following relevant procedures as laid
down in PPRA rules. For over a year no such issue
regarding VMware has cropped up, FBR added.
CYBER SECURITY READINESS
FBR also clarified that “In their data centers there
are numerous software products which are being
used to perform different functions such as cyber
security, virtualization, firewall, etc”. Key
companies whose products are being utilized include
Oracle, Microsoft, VMware, Kaspersky, etc.
FBR & NADRA
The attacks happen at a time when the government
is reviewing a legal proposal to give the National
Database Registration Authority (NADRA) access to
the FBR’s database. Due to disconnection from the
data source people are not able to get benefit of
Active Taxpayers List.
GENERAL HIGHLIGHTS
FBRDATACENTERVULNERABILITYANALYSIS
CVE-2021-28476 A guest-to-host Microsoft Hyper-V Remote
Code Execution Vulnerability in vmswitch.sys
ThisvulnerabilityallegedlyusedinFBRHackistriggerablebyaguestvirtualmachinesendingamaliciousMicrosoftRemoteNetworkDriverInterfaceSpecificationRNDISpacketoverVMBus(whichisachannel-basedcommunicationmechanismusedforinter-partitioncommunication).Guardicore
Labs,incollaborationwithSafeBreachLabs,reportedthis9.9criticalvulnerabilityduringBlackhat2021.
ThisvulnerabilityexploitsusinghAFL1,akAFL-basedfuzzinginfrastructureforHyper-Vdevices,thatsendsfuzzinginputsfromthehostlevel.Bydoingthat,hAFL1allowsstructure-awarefuzzingofRNDISpackets,withaspecificbitspatternrequiredtowriteaHyper-Vfuzzer,thustakingdownbigAzureinfrastructure.
REFERENCE https://i.blackhat.com/USA
21/Wednesday-Handouts/us-
21-Hafl1-Our-Journey-Of-
Fuzzing-Hyper-V-And-
Discovering-A-0-Day.pdf
Hyper-V Fuzzer https://github.com/SB-GC-
Labs/hAFL1
FBRLOOKALIKEDOMAINSHOSTED
RECENT PHISHING DOMAINS Based on DARKNET Intelligence, multiple domains like below have been registered to target FBR and other
Pakistani Government organizations.
Domain Record Data Record First Seen Last Seen
download[.]fbr[.]tax 104.21.61.166 A 04/07/2021 02:12 19/08/2021 22:49
download[.]fbr[.]tax 172.67.212.43 A 04/07/2021 02:12 19/08/2021 22:49
tar-gz[.]net 185.225.19.64 A 09/06/2020 02:05 31/05/2021 21:16
hajjinfo-org.tar-gz[.]net 185.225.19.64 A 17/07/2020 17:00 24/01/2021 04:26
fbr-gov.tar-gz[.]net 185.225.19.64 A 30/07/2020 04:44 03/11/2020 10:45
interior-gov.tar-gz[.]net 185.225.19.64 A 26/08/2020 07:14 26/08/2020 07:14
hajjinfo-org.tar-gz[.]net 185.225.19.64 A 19/07/2020 19:02 14/08/2020 02:40
sbp-org.tar-gz[.]net 185.225.19.64 A 20/07/2020 02:28 30/07/2020 04:44
mora-gov.tar-gz[.]net 185.225.19.64 A 30/07/2020 04:43 30/07/2020 04:43
www.fbr-gov.tar-gz[.]net 185.225.19.64 A 17/06/2020 10:47 29/07/2020 09:22
www.sbp-org.tar-gz[.]net 185.225.19.64 A 20/07/2020 18:40 29/07/2020 09:22
www.tar-gz[.]net 185.225.19.64 A 20/07/2020 18:39 29/07/2020 09:22
fbr-gov.aws-pk[.]net 72.52.179.175 A 30/07/2020 04:43 10/08/2021 04:43 gov-pok[.]net 44.227.76.166 A 2020-09-08 00:00 2020-11-10 00:00
www.google.gov-pok[.]net 44.227.76.166 A 2020-11-04 00:00 2020-11-10 00:00
moma.gov-pok[.]net 44.227.76.166 A 2020-10-29 00:00 2020-11-06 00:00
kp.gov-pok[.]net 44.227.76.166 A 2020-11-05 00:00 2020-11-06 00:00
Threat Intelligence
AlienVault, Shodan, CrowdStrike, Intel471, ThreatConnect RiskIQ, IBM XForce
DarkNet Intelligence Platform SunarTek, Cybersixgill
Reference
HACKINGACITVEAGAINSTFBR
ACTIVE THREAT ACTORS Despite alleged involvement of APT41 (China) and Russian Threat Actors (Yolishanda), it’s still inferred
that the role of RAJDHANI and WALLMONITOR threat actor can’t be ignored.
WALLMONITOROrigin:Indian-NexusAPTGroup,Sidewinder
Reportedby:FireEye
ExploitedVulnerabilities:
MandiantThreatIntelligencehaddiscoveredadocumentnamed"NDCParticipants.docx"(MD5:
df020e81b7ca32868a8ac1f5eddd086f,5Nov2020)submittedtoapublicscanningservice,whichislinkedto
IndianAPTgroup,Sidewinder.Thedocumentcontainsaparticipantlistforthe60thNDCCourse(thecontentof
theluredocumentbeginswiththetitle"NDCCourse-60Participants")andservesasafirst-stagedownloaderofa
multi-stagemalware,whileexploitingCVE-2017-0199andCVE-2017-11882.
ThisdocumentusestemplateinjectiontodownloadanothermaliciousdocumentfromanexternalURL.The
downloadeddocumentisnamed"main.file.rtf."ItexploitstheCVE-2017-11882vulnerabilitytoexecutethe
embeddedJavaScriptpayload"1.a,"whichdrops,decodes,andexecutesaseriesofembeddedpayloadsthat
ultimatelyinstallsaninstanceofWALLMONITORbyusingDLLside-loadingtechnique.
WALLMONITORisabackdoorthatcollectssysteminformationandexfiltratessensitivedocumentstothe
commandandcontrol(C&C)domain"cdn-sop.net"viaHTTPS.
RelatedFiles
Filename:MoU's.doc
MD5:2ba61596f9ec352eebe6e410a25867f6
Description:CraftedCVE-2017-11882exploitdocumentcontainingembeddedJavaScript
Filename:1.a
MD5:3ad3ddc1e8ada7f6a4fe0800b578ee4a
Description:EmbeddedJavaScriptthatdropsbackdoorcomponents
Filename:N/A
MD5:f430439caa168be1cfaea84fb92b8928
CompileTimestamp:2089-09-1106:59:47UTC
Description:WALLMONITOR
Please contact EUNOMATIX at [email protected] for more information about RAJDHANI & WALLMONITOR Threat Actors
C&C:https://cdn-sop.net/202/wGpm0RzJrMtEAvPiWk2eF4gXwOLYsphJ7KTx4Dyg/-1/13856/a042ecbe
Filename:Protocol.doc
MD5:1cf37a0a8a5f5704a3df692d84a16a71
Description:CraftedCVE-2017-11882exploitdocumentcontainingembeddedJavaScript
Filename:N/A
MD5:e82a8c4d998f69ce6f8c99279f1a1081
CompileTimestamp:2076-12-1308:28:22UTC
Description:WALLMONITOR
C&C:https://fqn-cloud.net/202/IE5KBomz11bpkqXAlGlLyHfaBxmdgsNQkFAUySJ1/-1/13832/8c45cde6
Filename:Audit_Observation2019.zip
MD5:ea0b79cd48fe50cec850e8b9733d11b2Description:Archive6lethatcontainsmaliciousLNK6le
Filename:Audit_Observation2019.pdf.lnk
MD5:4e804c96ef8544be3b56213f8e6cf016
Description:LNK6lethatdownloadsadditionalpayloads
C&C:http://www.fbr-gov.aws-pk.net/images/F87BA5DB/19770/12184/7e551290/e422827
Filename:N/A
MD5:93a028bbe1cfe187857ea11535e46f01
CompileTimestamp:2076-12-1308:28:22UTC
Description:WALLMONITOR
C&C:https://cdn-aws-s2.net/202/wupajZoom77AII9nWWeAmInQTNWp5y81o39TMuuA/19770/12184/24e9900c
NDCParticipants.docxAnalysis
https://app.any.run/tasks/08bab6d6-336a-4b72-8641-3f21fa12ff42/
Please contact EUNOMATIX at [email protected] for more information about RAJDHANI & WALLMONITOR Threat Actors
TARGETTEDFBRINFRASTRUCTURE
CURRENT ACTIVE FBR TARGETS BY SIDEWINDER The below infrastructure is currently being targeted by
multiple threat actors and multiple active zero-day vulnerabilities are being targeted.
fbrdc.fbr.gov.pk 103.125.60.5
mail.carec-ribs.gov.pk 103.125.60.31
mailftf.fatf.gov.pk 103.125.60.32
fbrdc.fbr.gov.pk 103.125.60.33,FATF
fbrdc.fbr.gov.pk 103.125.60.51
fbrdc.fbr.gov.pk 103.125.60.50
fbrdc.fbr.gov.pk 103.125.60.52
excas1.pral.com.pk 103.125.60.54
excas2.pral.com.pk 103.125.60.65
fbrdc.fbr.gov.pk 103.125.60.55
fbrdc.fbr.gov.pk 103.125.60.77
mx02.fbr.gov.pk 103.125.60.67
mail.pra.punjab.gov.pk 103.125.60.8
cas1.fbr.gov.pk 103.125.60.73
cas2.fbr.gov.pk 103.125.60.74
www.iris.ajkird.gov.pk 103.125.60.181
smtp1.pral.com.pk 103.125.60.186
smtp2.pral.com.pk 103.125.60.187
Asset Type IP/Host First Seen Last Seen ASN www.fbr.gov.pk CNAME fbr.gov.pk 17/02/2019 01:31 19/08/2021 09:18 AS138424 Federal Board of Revenue
www.fbr.gov.pk CNAME fbr.gov.pk 17/02/2019 01:31 19/08/2021 09:18 AS138424 Federal Board of Revenue
pca.i.fbr.gov.pk A 119.63.132.113 14/06/2019 12:31 12/03/2021 04:07 AS38193 Transworld Associates Pvt. Ltd.
importefiling.fbr.gov.pk A 119.63.132.111 14/06/2019 12:31 12/03/2021 04:07 AS38193 Transworld Associates Pvt. Ltd.
hr.fbr.gov.pk A 202.163.66.201 14/06/2019 12:31 12/03/2021 04:07 AS9541 Cyber Internet Services Pvt Ltd.
fbr.gov.pk A 115.186.59.68 10/03/2014 05:02 10/03/2014 05:02 AS38710 Worldcall Broadband Limited
fbr.gov.pk A 115.186.59.182 10/03/2014 05:02 10/03/2014 05:02 AS38710 Worldcall Broadband Limited
fbr.gov.pk A 202.125.159.86 10/03/2014 05:02 05/02/2020 07:26 AS17557 Pakistan Telecommunication Company Limited
iris.fbr.gov.pk A 202.125.159.121 07/04/2019 11:27 23/06/2019 07:10 AS17557 Pakistan Telecommunication Company Limited
exportefiling.fbr.gov.pk A 119.63.132.112 05/03/2019 06:41 05/03/2019 06:41 AS38193 Transworld Associates Pvt. Ltd.
fbr.gov.pk A 72.255.56.32 17/02/2019 01:31 05/04/2020 12:28 AS24440 Cyber Internet Services Pakistan
e.fbr.gov.pk A 72.255.56.22 17/02/2019 01:31 02/03/2020 05:42 AS24440 Cyber Internet Services Pakistan
hrms.fbr.gov.pk A 203.135.3.179 29/12/2018 11:00 29/12/2018 11:00 AS17557 Pakistan Telecommunication Company Limited
paysys.fbr.gov.pk A 202.125.159.78 13/01/2017 10:33 20/04/2019 02:45 AS17557 Pakistan Telecommunication Company Limited
paysys.fbr.gov.pk A 115.186.59.142 13/01/2017 10:33 13/01/2017 10:33 AS38710 Worldcall Broadband Limited
download1.fbr.gov.pk A 115.186.59.67 30/06/2015 05:43 06/08/2015 08:21 AS38710 Worldcall Broadband Limited
o.fbr.gov.pk A 115.186.59.67 04/09/2014 12:25 04/09/2014 12:25 AS38710 Worldcall Broadband Limited
hrms.fbr.gov.pk A 202.163.66.201 14/06/2019 12:31 12/03/2021 04:07 AS9541 Cyber Internet Services Pvt Ltd.
help.fbr.gov.pk A 202.125.159.102 14/06/2019 12:31 25/10/2019 06:22 AS17557 Pakistan Telecommunication Company Limited
mpr.fbr.gov.pk A 72.255.56.29 14/06/2019 12:31 23/10/2019 10:53 AS24440 Cyber Internet Services Pakistan
mpr.fbr.gov.pk A 202.125.159.83 14/06/2019 12:31 23/10/2019 10:53 AS17557 Pakistan Telecommunication Company Limited
mx02.fbr.gov.pk A 202.125.159.95 14/06/2019 12:31 23/10/2019 10:53 AS17557 Pakistan Telecommunication Company Limited
rims.fbr.gov.pk A 72.255.56.82 14/06/2019 12:31 20/06/2019 05:36 AS24440 Cyber Internet Services Pakistan
crm.fbr.gov.pk A 202.125.159.114 14/06/2019 12:31 25/10/2019 06:23 AS17557 Pakistan Telecommunication Company Limited
mx02.fbr.gov.pk A 72.255.56.40 14/06/2019 12:31 23/10/2019 10:53 AS24440 Cyber Internet Services Pakistan
demo.fbr.gov.pk A 202.125.159.109 13/06/2019 02:58 25/07/2019 03:21 AS17557 Pakistan Telecommunication Company Limited
paysys.fbr.gov.pk A 72.255.56.24 20/04/2019 02:43 20/04/2019 02:45 AS24440 Cyber Internet Services Pakistan
upload.fbr.gov.pk A 202.125.159.109 20/06/2019 05:36 25/10/2019 06:22 AS17557 Pakistan Telecommunication Company Limited
download.fbr.gov.pk A 72.255.56.27 20/06/2019 05:36 20/06/2019 05:36 AS24440 Cyber Internet Services Pakistan
download.fbr.gov.pk A 202.125.159.81 20/06/2019 05:36 20/06/2019 05:36 AS17557 Pakistan Telecommunication Company Limited
etraining.fbr.gov.pk A 72.255.56.37 20/06/2019 05:36 20/06/2019 05:36 AS24440 Cyber Internet Services Pakistan
ims.fbr.gov.pk A 72.255.56.44 14/06/2019 12:32 20/06/2019 05:36 AS24440 Cyber Internet Services Pakistan
Threat Intelligence
AlienVault, Shodan, CrowdStrike, Intel471, ThreatConnect
DarkNet Intelligence Platform SunarTek, Cybersixgill
Reference
esbn.fbr.gov.pk A 72.255.56.23 14/06/2019 12:31 23/10/2019 10:53 AS24440 Cyber Internet Services Pakistan
hrms.fbr.gov.pk A 202.70.147.229 14/06/2019 12:31 20/06/2019 05:36 AS17557 Pakistan Telecommunication Company Limited
aeoisftp.fbr.gov.pk A 203.82.52.104 19/06/2020 03:58 16/07/2021 07:37 AS23674 Nayatel Pvt Ltd
aeoisftp.fbr.gov.pk A 203.135.4.230 19/06/2020 03:58 16/07/2021 07:37 AS17557 Pakistan Telecommunication Company Limited
esp.fbr.gov.pk A 72.255.56.86 23/10/2019 10:54 12/03/2021 04:07 AS24440 Cyber Internet Services Pakistan
www.e.fbr.gov.pk A 72.255.56.22 25/07/2019 03:22 25/07/2019 03:22 AS24440 Cyber Internet Services Pakistan
iris.fbr.gov.pk A 72.255.56.51 25/06/2019 06:53 11/10/2019 09:11 AS24440 Cyber Internet Services Pakistan
etraining.fbr.gov.pk A 202.125.159.91 20/06/2019 05:36 20/06/2019 05:36 AS17557 Pakistan Telecommunication Company Limited
cas2.fbr.gov.pk A 72.255.56.48 06/11/2020 11:40 06/11/2020 11:40 AS24440 Cyber Internet Services Pakistan
gw.fbr.gov.pk AAAA NXDOMAIN 31/12/2019 06:06 31/12/2019 06:06
eco.fbr.gov.pk A NXDOMAIN 20/06/2019 05:36 20/06/2019 05:36
fbr.gov.pk NS a7.uberns.net 06/11/2020 11:40 06/11/2020 11:40 AS53334 TUT-AS
www.aeoisp.fbr.gov.pk NS NXDOMAIN 19/06/2020 03:58 19/06/2020 03:58
fbr.gov.pk NS a7.uberns.com 06/11/2020 11:40 06/11/2020 11:40 AS53334 TUT-AS
www.aeoi.fbr.gov.pk AAAA NXDOMAIN 19/07/2020 05:32 19/07/2020 05:32
aeoisp.fbr.gov.pk NS NXDOMAIN 19/06/2020 03:58 19/06/2020 03:58
www.aeoisftp.fbr.gov.pk AAAA NXDOMAIN 19/06/2020 03:58 19/06/2020 03:58
www.gw.fbr.gov.pk NS NXDOMAIN 23/02/2021 01:02 23/02/2021 01:02
fbr.gov.pk SOA a7.uberns.com 06/11/2020 11:40 06/11/2020 11:40 AS53334 TUT-AS
fbr.gov.pk NS ns1.fbrmail.com 06/11/2020 11:40 06/11/2020 11:40
fbr.gov.pk NS b7.uberns.com 06/11/2020 11:40 06/11/2020 11:40 AS53334 TUT-AS
aeoi.fbr.gov.pk A 203.82.52.101 16/07/2021 07:37 09/08/2021 08:54 AS23674 Nayatel Pvt Ltd
aeoi.fbr.gov.pk A 203.135.4.227 16/07/2021 07:37 09/08/2021 08:54 AS17557 Pakistan Telecommunication Company Limited
crm.fbr.gov.pk A 72.255.56.116 01/03/2021 09:41 12/03/2021 04:07 AS24440 Cyber Internet Services Pakistan
ABOUT EUNOMATIX EUNOMATIXoffersconsultancyandmanagednext-generationcybersecurityservicestolargeandmedium-sizeorganizations,whiledealingwithwideintrusionthreat-spectrum.
OurCyberSecuritydepartmentiscapabletoprovideconcretebreach-proofprotectionfortheenterprisenetwork,criticalinternalITassets,sensitivedata-repositories,remoteandonsite-usersthroughadvanceDataScienceTechniques(Clustering,Learning,Prediction,Classification,etc.).Ourservicesalsoincludeimplementationofsecuritycontrolsaspertheregulationsmentionedinlatestsecuritystandards,includingGDPR,ITIL,GLBA,PCI,SOX,HIPAAandISO27001/27002.EUNOMATIXisalsoequippedwithateamofexploitandmalwareresearchersthatprovidesenterpriseimplementationandresearchservicestodifferenttechnologycustomersinEMEAregion.
CyberSecurityServices-Wehavebeenapproachedbydifferententerprisesandresearchgroupstodeployanddevelopsecuritymonitoringnetworksandtest-bedswithspecialimplementationsrequirements.WecanimplementMachineLearningandArtificialIntelligence(AI)usinganycontemporarycybersecuritystandardslikeCyberKillChain,MITREATT&CKMatric,MITRECAR,NISTandMcAfee’sSOCSpecifications
Providingnetworkandsecurityservicesismuchbeyondjustsellingsecurityproducts-itmeansthatourrelationshipwithourvaluablecustomersisjustbeginningwhenthetechnologyisunder-deployment.Oncetheservicesareupandrunning,ourcustomersrelyandbelieveonustohavecertifiedandexpertengineersandanalystson-dutyandon-call24-hours-a-day,365-days-a-year.
ManagedServices-Weareexpertinprovisioningacomprehensiveoverlaynetworksecuritylayerforlargedata-center,enterpriseandtelecomservice-providernetworks.Inthissecuritylayer,wecanimplementhighlydemandedsecurityfeatureslikeFirewalls,Taps,IDS/IPS,UTM(UnifiedThreatManagement),SIEM,Anti-DDoS,Application-Security,Access-Control,IP-DNS-Repudiation,Forensics,ThreatIntelligence,etc.Oursecurityreviewmechanismisfullyin-linewiththelatestsecuritystandardsi.e.ITIL,GDPR,GLBA,PCI,SOX,HIPAAandISO27001/27002.
RemoteServices-Wearecapabletoprovideconfiguration,implementationandtroubleshootingservicesremotelyforanytypeofdata-center,enterpriseandprovidernetworks,aswellasbenchmarkingserviceswithleadingnetworktrafficgeneratorsandnetworkmonitoringproducts.
MAINOFFICE
1600 Mill Rock Way,
Bakersfield, CA 93311, USA
T: +1 661 474 4129
© 2012 EUNOMATIX Limited. All Rights Reserved. 02/14 GA-DS-1547-01
EUNOMATIX and its logo are trademarks of EUNOMATIX Networks, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by EUNOMATIX. EUNOMATIX reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact EUNOMATIX Customer Services office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United State.