State Capture website hacked
The website hosting all the documents and hearing transcripts of the Commission of Inquiry into State Capture, better known as the Zondo Commission, was attacked and replaced with links pointing to Indonesian sites.
Specifically, the State Capture website linked to an Indonesian online gambling operation and to Lazada, an international e-commerce company and one of Southeast Asia’s largest online shopping operators.
After MyBroadband reported the issue to the website’s hosting provider, Xneelo, it notified the site’s custodian, which quickly reversed the takeover and reinstated the original web pages.
A lookup against the ZA Registry Consortium’s WHOIS database revealed that the domain, statecapture.org.za, was registered through Xneelo. Xneelo also provided the site’s DNS servers.
Xneelo could not reveal who was responsible for the website. We asked Xneelo to relay an invitation to comment to its customer, but the company or individual did not come forward.
MyBroadband asked whether the attackers exploited a vulnerability in the Zondo Commission’s web application or Xneelo’s server.
“The website in question is hosted on a self-managed service, which means we have no visibility of what’s on the hosted server,” an Xneelo spokesperson said.
“However, we will pass your details on to the customer so they can decide whether they would like to respond directly.”
MyBroadband also contacted the State IT Agency (SITA) for comment, which said SITA neither hosted nor maintained the Zondo Commission’s website.
Further investigation revealed that the State Capture website was developed using CodeIgniter, an open-source PHP rapid web development framework.
The Internet Archive’s Wayback Machine shows that the site has been online since at least September 2020.
It is unclear whether it has been patched to close security vulnerabilities discovered in CodeIgniter in the past five years.
The purpose of the compromise remains unclear, although one likely explanation is that the hackers wanted to use it as an attack site targeting Indonesian consumers.
Cyberattacks on the rise in South Africa
The Zondo Commission is one of many South African entities targeted by cyberattacks this year. In the past eight months, attackers have targeted companies and government agencies across various sectors.
Earlier this month, a cyber extortion group called INC Ransom claimed responsibility for breaching Altron Netstar’s corporate network and leaking 505GB of data onto the dark web.
In May, ransomware gang Everest Group claimed responsibility for an attack on Mediclinic, stating that they exfiltrated 4GB of data and the personal data of 1,000 employees.
That same week, Adidas South Africa notified customers that it suffered a data breach with people’s names, email addresses, phone numbers, genders, and birth dates potentially exposed.
In the telecommunications sector, MTN and Cell C reported data breaches earlier this year, with Cell C confirming that it was the victim of a ransomware attack by a group called RansomHouse.
While Cell C was up-front and provided details about the attack it suffered, MTN was more tight-lipped, only saying that some people in certain markets were affected.
Astral Foods, South Africa’s largest chicken producer, Eastplats, a prominent mining company, and Pam Golding, the largest real estate company in the country, all disclosed data breaches this year.
In addition, in July, Microsoft SharePoint became the target of a zero-day vulnerability, which caused headaches for organisations worldwide.
SharePoint is a widely used web-based platform developed by Microsoft for collaboration and document management.
The security flaw allowed attackers to access SharePoint servers and steal keys that let them impersonate users or services. This could enable deep access into compromised networks to steal confidential data.
Various South African organisations and government departments were exposed due to the vulnerability, including National Treasury, which reported finding malware installed on a SharePoint server.
South Africa’s Department of Planning, Monitoring, and Evaluation was also targeted in the attacks on Microsoft’s SharePoint customers.
A U.S. security researcher also discovered that the zero-day exposed Stellenbosch University’s website and potentially its broader network.
The researcher contacted MyBroadband about the vulnerability when he struggled to reach the necessary people in Stellenbosch’s IT department.
Feedback from the university suggested that they had received several such communications, but these were all from people hoping to be hired to fix the issue, which the university said it was already working on.
Loading ...