Last night the “Akatsuki Gang” leaked a Database Disclosure Vulnerability effecting the website of the Court of Auditors of the Federal District of Brasil, allowing for remote access/download of the websites file systems and databases. Analyzing their methodology, leveraging open ports left exposed by poorly constructed security settings, hackers were able to implement a Relative Path Traversal (CWE-23) attack against the websites file system structure, ultimately gaining access to a MySQL database hosting PHP 5.5.9. files hosted on an Apache 2.4.7 web server attached to a WordPress.org website.
It remains unclear what the hackers did with the data they uncovered, but what we do know is that they managed to gain access to 41 tables/folders inside a database labeled “selic,” exposing information such as passwords, site uploads, comments and administrator user data. In a message attached to the hack, the group left a sarcastic message reading “Um verdadeiro patriota é o tipo que leva uma multa de estacionamento e fica contente porque o sistema funcionou!” Translated this reads to say ‘a true Patriot is happy to get a parking ticket because that means the system has worked!‘ – lol. It remains unclear if that hack was conducted as a result of a parking ticket, or if the group was just being facetious.
Website Effected: hxxp://tc.df.gov.br/
Site Vulnerability: hxxp://tc.df.gov.br/selic/download.php?codof=41
Raw Leak: https://ghostbin.com/paste/e3zs5