Hacktivists Team Up To Hack, Deface, Leak or Crash 39 Ecuadorian Websites Within First 24 Hours After Assange’s Arrest

At this point it should go without saying, but yesterday morning the Ecuadorian Embassy  in London decided against continuing Julian Assange’s protection/asylum and he is now going to be extradited to stand trial in the United States – where he faces life in prison. While every news outlet between here and the moon has already done their own spinoff story on these developments, what I haven’t seen anyone else covering is the response from at least some of the hacking/cyber security community – so this is what I will attempt to do here today.

First off, the very reason why Wikileaks founder was arrested yesterday was most likely for his open support for a number of leaked documents implicating Ecuador’s President recently – likely leaked for his decision to put so much pressure on Julian Assange in the first place over recent weeks. The leaked cache of documents in question is officially referred to as the INA Papers – which you can browse in their entirety below.

Browse INA Papers Leak: http://inapapers.org/

With that established, within the first 24 hours of Assange’s arrest different hackers from all around the world appear to have teamed up together to launch a massive and coordinated series of cyber attacks against the Ecuadorian Government and its infrastructure. While it would be impossible to find them all, here is everything I was able to research – 39 different targets of hacks, leaks, defaces and/or DDoS attacks April 11th-12th 2019. Among the participants were Anonymous, LulzSec, Pryzraky, CYB3R C0V3N and many more.

Defaced:

Target: hxxps://www.utpl.edu.ec/
Deface: https://www.utpl.edu.ec/salas/view_entry.php?id=103164

Target: hxxp://www.esmena.edu.ec/
Deface Mirror: http://www.zone-h.org/mirror/id/32332771?hz=1

Target: hxxp://reinounido.embajada.gob.ec/
Deface: pic.twitter.com/2cSkC3Zndy

Tango Downed:

Ecuadorian Embassy of the United Kingdom: hxxp://reinounido.embajada.gob.ec/
Ecuadorian Consulate of Chicago: hxxp://chicago.consulado.gob.ec/
Official Guide of Protocols & Procedures of the State of Ecuador: hxxp://gob.ec/
National Institute of Investigation: hxxp://inigemm.gob.ec/

https://www.bce.fin.ec/en/
https://www.ministeriointerior.gob.ec/
http://reinounido.embajada.gob.ec/
https://www.presidencia.gob.ec/
https://www.finanzas.gob.ec/
http://cti.administracionpublica.gob.ec/
http://encuestas.gobiernoelectronico.gob.ec/
http://viajes.administracionpublica.gob.ec/
http://www.cege.gob.ec/
http://www.reconstruyoecuador.gob.ec/
http://www.yogobierno.gob.ec/
http://viajes.presidencia.gob.ec/
http://innovacionlab.gob.ec/
http://cti.gobiernoelectronico.gob.ec/
http://acuerdosconsulta.cege.gob.ec/

Targets w/ SQLi Vulnerabilities:

http://www.palenque.gob.ec/docs.php?id=docs34
http://www.goberguayas.gob.ec/prensaexpose.php?cod=1986
http://www.latroncal.gob.ec/WEB17/NOTICIAS/CONTROL/VISOR_MUESTRA.PHP?valores=aut_445

http://www.espiritusanto.edu.ec/fes/noticia.php?id=192
http://www.uteq.edu.ec/revistacyt/contenidorevista.php?id=19
http://biblio.ecotec.edu.ec/revista/articulo.php?id=279
http://www.bluehill.edu.ec/news.php?id=8
http://www.lainmaculada.edu.ec/web/pagina.php?id=2
https://www.utpl.edu.ec/salas/view_entry.php?id=26072&area=1&day=03&month=12&year=2008
http://www.esmena.edu.ec/pages.php?id=1

http://www.windowfrance.ec/news_detail.php?id=106
http://www.emetebe.com.ec/blog/index.php?id=22
https://www.inmot.com.ec/accesorios.php?id=10002443
http://www.blacksun.com.ec/news.php?id=16
http://www.espiritusanto.edu.ec/fes/noticia.php?id=68
http://madetec.com.ec/en/proyecto.php?id=7
http://www.ales.com.ec/noticia.php?id=2
http://www.fritega.com.ec/panaderia.php?id=283

Press Releases:

Pryzraky: https://hastebin.com/zecicifade.coffeescript
Anonymous: https://hastebin.com/yavudususu.rb

More Information:

https://twitter.com/LulzSeguridad/status/1116533381607641088

https://twitter.com/cyb3rc0v3nsec/status/1116336514387066885

https://twitter.com/al1ne3737/status/1116603345181921284

https://twitter.com/cyb3rc0v3nsec/status/1116393682482139136

https://twitter.com/cyb3rc0v3nsec/status/1116541062217121793

https://twitter.com/cyb3rc0v3nsec/status/1116541062217121793

Poison.sh of Tenebris Hacks/Defaces 169 Websites Across The World

If you are a regular reader of this website you would know that rarely do I ever feature reports on website defacing, it just isn’t really my “thing.” However, that does not mean I dismiss the subject entirely either. For example, this morning I managed to come across a Twitter posting from a relatively new group of South American hackers going by the name of “Tenebris,” whom claim to have hacked 169 websites around the world throughout the course of the last several days and weeks. While I was skeptical at first, after conducting a little bit of research into the hacks and clicking through the links provided, it appears as though the group really is telling the truth – which is why I am featuring them here today.

The website defaces are said to have been pulled off by a hacker going by the name of “Poison.sh” – a famous Brazilian hacker well known for permanently disabling and defacing websites throughout the country in the past. Analyzing the URL structure as they exist inside Pastebin suggests that Poison.sh has managed to gain access to each of the websites admin/dashboard panels, where he then uploads a jpeg image/file featuring the groups logo within the websites media folder – thus allowing for him to link to it externally and give the appearance as though the website has been hacked/defaced.

This is also very clever because rarely do website administrators ever audit their own media files, and the more media files/pictures exist on the website itself only makes it hard to find any image(s) that may be out of place on it.  Consequentially enough, this would also explain why Poison.sh‘s ‘defaces’ tend have such long shelf lives.

Full List of Websites Compromised/Defaced: https://pastebin.com/DWugWyiA

Warriors Crew Hacked & Defaced Several Government Websites Across Brasil This Weekend

This weekend an emerging new group out of Brasil going by the name of “Warriors Crew” hacked and defaced several website’s belonging to Government agencies across Brasil. This includes the Municipal Government of Taquarana, Municipal City of Itumbiara, Government of Santa Cruise and Roteiro City Hall. While the attacks were launched in the early morning of hours of Sunday, December 23rd 2018, as of Monday evening 3 of the 4 websites still remain defaced, indicating that the hackers were either able to change the sites login credentials to lock out its administrators, or the Government agencies are still unaware of the incident. Either way, it’s still pretty hilarious.

In a statements to Rogue Media Labs, “C0nd0r” of Warriors Crew explained that the cyber attacks were launched in protest of various laws, such as Articles 11 & 13 in the EU.  Despite being a South American national, C0nd0r explains how many modern laws in countries across the world, including Brasil, are simply not right and must be protested. Hacks and leaks are just one of many different forms of protest. In a message attached to the hack, Warriors Crew left behind a message reading “the corruption of our rulers almost always begins with a corruption of their principles/morals. Corruption may not strictly speaking be a uniquely Brasilian invention/trait, but we certainly tend to do it better than most.

Website Hit:

hxxp://taquarana.al.gov.br/
hxxp://ciadovidro.com.br
hxxp://www.roteiro.al.gov.br/
hxxp://camaradeitumbiara.go.gov.br/
hxxp://camaradesantacruzdegoias.go.gov.br/

Proof of Defacement:

City Hall of Santa Cruise: https://mirror-h.org/zone/2000032/
Municipal City of Itumbiara: https://mirror-h.org/zone/2000031/
Municipal Government of Taquarana: https://mirror-h.org/zone/1999648/
Roteiro City Hall: https://mirror-h.org/zone/1999647/

Interestingly enough, the website belonging to the Government of Santa Clara also seems to have their SEO algorithms poisoned. Meaning that when you search for the website on Google its title has been changed to “Akatsuki” and its description to “d888888 dP dP dP oo d8′ 88 88 88 88 88aaaaa88a 88 .dP .d8888b. d8888P .d8888b. dP dP 88 .dP dP 88 88 88888″ 88′ `88 88 Y8ooooo. 88 88 88888″ 88 88…” This is something I have personally never seen or come across before, usually it takes weeks for Google to re-index changes to any websites SEO meta tags and descriptions. Reference the screen shot captured below:

Image may contain: 1 person

Akatsuki Gang Announces Hack of Brasil’s Ministry of Finance, Leaking Location of Site Exploits & Databases Online

In a posting released on Twitter December 20th 2018, the “Akatsuki Gang” announced a hack of Brasil’s Ministry of Finance, managing to leak sensitive information tied to the sites back end, inner workings and databases online. Analyzing the attack, it appears as though the Akutsuki Gang exploited an SQL vulnerability attached to the landing page of previdencia.gov.br/conteudoDinamico.php?id=1093 – gaining remote access to a MySQL database containing PHP version 7.2.10 files hosted on a Microsoft-IIS 10.0 web server.

While the leak contains approximately 6,345 lines, most of the data is mirrored locations of various folders, files and databases contained on the sites web page – only browse-able should you gain physical access to website yourself. With that said however, there is some interesting/valuable material contained within the information dumped online, such as a full list of all the sites DNS records, the IP Address and destinations of all the sites sub-domains, the websites IP, Network and Netmask Addresses, as well as the sites back end login page – which isn’t currently protected against brute force attacks.

In a message attached to the hack/leak, the Akatsuki Gang released a full list of its members, explaining that “We Are: SNM Anops &&& D3coder &&& Knushh &&& SpySec &&& L0ster &&& CooldGirl &&& Satuur.” Also leaving behind a dark/ominous message stating “Can you take revenge on evil without becoming a part of it? I do not live to please you, when I make choices I’m prepared to face the consequences myself. Otaku is good, it’s just Otaku being himself.” According to a separate press release on Twitter, the Akatsuki Gang announced that they will be targeting Brasil’s Ministry of Agriculture, Livestock and Farming next.

Website Effected: hxxp://previdencia.gov.br
Location of Vulnerability: hxxp://previdencia.gov.br/conteudoDinamico.php?id=1093
Raw Leak: https://ghostbin.com/paste/xho67

This is the first time I have covered the Akatsuki Gang for Rogue Media Labs, but the group has been extremely active throughout the later half of 2018. For example, over the course of the last 3 months alone, the group has hacked websites and databases belonging to the Military Police of Piaui, Military Police of the State of Goiás, Civil Police of Rio de Janeiro, Federal University of Rio de Janeiro, Brasilian Party of Women and municipalities of the states of Natal, Mins Gerais, Pernambuco, Santa Catarina and São Paulo, as well as pages of USP and the Courts of Justice of Espírito Santo (TJES) and Santa Catarina (TJSC).

Read More About The Groups Activities Here: https://www.defcon-lab.org/tag/akatsuki-gang/

No automatic alt text available.

Psoe Burgos Political Party, Spanish Chamber of Commerce & Many Others Hacked by Anonymous Espana, Databases Leaked Online

Last night “Anonymous Espana” announced the hack, leak and defacement of several websites across Spain. The cyber attacks appear to have been conducted through a combined/ collective effort of several groups and individuals, including Anonymous CyberGuerrilla and “Anon_cat.” As for the motivation behind them, look no further than #OpCatalonia – one the single largest Anonymous operations across Europe dating back to the Catalonian secession vote of 2017.

In a posting made available through Twitter on December 20th, Anonymous Espana announced the hack of 5 websites, including Psoe Burgos, a Spanish based Socialist political party, COAATMU, a Spanish tech university, the Forest Science Centre of Catalonia, the Spanish Chamber of Commerce and Abogados MMB, an international law firm based in Spain. Not only were all of these website hacked, but each of them had their online databases breached, downloaded and deleted. Anon_cat also managed to deface Psoe Burgos’ website, replacing their front page with the Anonymous logo and a message reading “HACKED BY ANONYMOUS. ALL OF YOUR DATA HAS BEEN DELETED.” As of midnight 1:00 am EST the deface of the website had remained standing for nearly 10 hours at that point, but by 9:00 am the website appears to have been restored to its original version.

Websites Hit:

hxxp://psoeburgos.es/
hxxp://coaatmu.es/
hxxp:ctfc.cat/
hxxp://cecit.es/
hxxp://mmb.es/

Databases Leaked:

Psoe Burgos (17.1 KB): http://anonfile.com/F8P0q1o8b3/www.psoeburgos.es_zip
COAATMU (3.08 MB): https://anonfile.com/d4S7q8o4b5/www.coaatmu.es_zip
Forest Science Centre of Catalonia (3.03 MB): https://anonfile.com/n4S0qbo1bc/www.ctfc.cat_zip
Spanish Chamber of Commerce (461.5 KB): https://anonfile.com/fdSbq5o0b4/cecit.es_zip
Abogados MMB (6.96 KB): https://anonfile.com/h2S0qao3bf/www.mmb.es_zip

Deface: https://mirror-h.org/zone/1997809/

https://twitter.com/An0nym0us_Esp/status/1075898360995987456?s=19

https://twitter.com/An0nym0us_Esp/status/1075903659404353538

Secretaria Municipal de Educação do Rio de Janeiro Hacked & Defaced To Teach Admins How To Patch Their Site

This morning, December 19th 2018, “Knushh” announced a unique hack of the Municipal Educational Department of Rio de Janeiro, Brasil, revealing several key vulnerabilities effecting the website allowing for the remote access/download of Government files/databases. I almost hesitate to call this an “Ethical Hack” because Knushh didn’t just simply hack the website and report its vulnerabilities to town administrators, he hacked the website and then disclosed the bugs/vulnerabilities to everyone in the world – including site administrators.

In a research report featured on Ghostbin, Knushh explains how Rio de Janeiro’s Municipal Education Departments websites suffers from two specific vulnerabilities. The first is known as a Local File Disclosure Vulnerability (LFD), “a malfunction in web applications allowing for the download of files without permission” and the second is an SQL vulnerability, “an attack that consists of inserting query strings via web application to compromise the different layers of site databases.Knushh goes on to explain how “the SQLi vulnerability is located in the site’s search engine so it can perform an SQL Injection (POST) and capture of the Sites Database (DBMS),” explaining that “we can test the vulnerability by adding a single quote in the mechanism.” Adding that “the LFD vulnerability is present in a tab that was to download .doc files .pdf etc … documents in ci http://www.semedjaperi.rj.gov.br/site/baixar.php?arquivo=

In a move that I have never seen or even heard of before, Knushh then proceeded to hack the website through the same exploits disclosed above and defaced its pages with instructions for site administrators, teaching them how to fix the exploits in the future. For example, here are screen shots of the URL’s defaced and his activity:

SQL Vulnerability:

LFD Vulnerability:

Lastly, Knushh closed out his research report with a message to the IT department of Rio de Janeiro, stating that “I HOPE THIS ARRIVES TO THE TEAM OF SITE PROGRAMMERS TO RESOLVE THESE SERIOUS VULNERABILITIES – ASS.

Website Effected: hxxp://www.semedjaperi.rj.gov.br/
Full Threat Analysis of Site Vulnerabilities: https://ghostbin.com/paste/6rw7k

https://twitter.com/Knushh/status/1075342816082059264

Nodes Digital Magazine PWNED by Knushh

In a posting on Twitter December 17th 2018, hacker “Knushh” proudly displayed his most recent hack, a complete deface of Nodes Digital Magazine. Upon visiting the website, instead of displaying the most recent cyber news as it was designed, users are greeted with a list of 25 indexes and databases attached to the sites Apache version 2.4.18 web server. Then, once you try clicking on any of the tables listed, you are brought to pages disconfigured and defaced to display the following message:

No automatic alt text available.

Translated into English, this essentially reads “motivated for no other reason than to disfigure – lulz.” It is important to note that it was not just the website’s back end php file destination that was hacked, literally every page affiliated with the website has been hacked and defaced with the same message and image, indicating that the entire website was completely and utterly “pwned” by Knushh. Not only this, but more than 48 hours later now, the website has yet to be fixed or restored back to its previous or original settings, indicating that Knushh was also able to change the websites login credentials to locked out the sites administrators entirely – or they are completely unaware of the incident altogether.

At the present moment in time no databases attached to or affiliated with the site have been leaked online.

Website Effected: hxxp://revistaescolarnodos.com/

https://twitter.com/Knushh/status/1074903753260785664

English Defense League Hacked by TeaMp0isoN, 21.83 KB of Data Leaked Online

Earlier today, December 13 2018, the website belonging to the English Defense League (EDL), a far-right English Nationalists group opposed to Islamic immigration and religious practices, was hacked and contents belonging to its databases were leaked online. The hack and subsequent leak has been claimed by “TriCk aka Saywhat?” of ZCOMPANY HACKING CREW and TeaMp0isoN, a once famous group of international hackers that is to have disbanded years ago. More than likely, the hack was conducted to make a stand against xenophobia and racism, targeting religious extremists active in the discrimination of Muslims.

According to a press release posted on the Pastebin web service this morning, hackers managed to leak the identities of EDL leadership, website and staff, including their real names, place of work, home addresses, phone numbers, social accounts, pictures, emails, IP Address, account names and passwords, as well as internal messages exchanged between group members.

Website Effected: hxxp://www.englishdefenceleague.org.uk/
Raw Full Leak (21.83 KB): https://pastebin.com/vqQ0JmUS

Universidad Nacional de Mar del Plata Hackeada by LulzSec Argentina

I normally make it a habit not to report on website defacing’s for a couple reasons. First, because the majority of them are merely faked using cut and paste with Microsoft Paint or Photoshop and second, because the other half of the time that are just HTML pages attached to the URL of an unsecured website lacking an SSL. Very rarely do you ever come across a legitimate or genuine website deface these days, such as was the case today.

This morning, December 7th 2018, “El_Pemax” of LulzSec Argentina defaced the website belonging to La pagina de la Universidad Nacional de Mar del Plata (the National University of Mar del Plata), adding a web page under the heading ‘cache’ and using the platform to express that “educators more than any other kind of professionals are the guardians of civilization – lets all support more education and less of the stupid things.” Sharing in their spirit, following release of the news on Twitter, “Anonymous Argentina” and “TeamHackArgentina” came out with a joint press release stating that “it is time to start drawing attention to what we are doing, this country is out of control.

Website Effected: hxxp://mdp.edu.ar
Website Deface: http://www.mdp.edu.ar/cache/

Screen Shot of Deface 12/7/2018:

No automatic alt text available.

https://twitter.com/LulzSeguridad/status/1071079882870808576

https://twitter.com/YourAnonArg/status/1071083492132368385

Anonymous Cyber Guerrilla Leaks Files from Inside French Ministry of Defense

Earlier this morning, ahead of tomorrows protests, Anonymous CyberGuerrilla announced their second leak of the French Government in the last two days, this time leaking thousands of files/documents from inside the Ministry of Defense. Already today the leaks have changed locations several times, as lobbyists have attempted to delete or scrub the data offline. For the time being they can be accessed hosted at the following locations:

File Leak One: https://zerobin.net/?72b72dfb6afdc0ca#S+9gztuEfwUaf43RKH4oZLTz4jOR59+CpTWU+LLcMno=
File Leak Two: http://zerobinqmdqd236y.onion/?8f6c0fc517ba81f8#z6RzImwr5gRO8aydNmzmJFI8MMhcUlPRndUQpu0D6LI=
File Leak Three: https://share.riseup.net/#gO4_OYqPu2Zvk9fHJk9xZQ
File Leak Four: http://ruqay5morumo3tcg.onion/?38b265a7e7df2606#x66/X5rgUJptQZKKTz+Jl7Vgt7iK/W+aOpO30569QJA=

In a message attached to the hack/leaks, CyberGuerrilla stated that:

We are the rebellion against an authoritarian society, against isolation and competition. We are the rebellion for another social and cultural reality. In the wake of global liberation attempts, the time is ripe for a decisive struggle that would no longer accept the pseudo-natural legitimacy of the system and seriously want to overcome it. We are looking for change for the liberation struggle, for a new way in which we can connect with others.

We will never forget the comrades, we want to especially remember those who decided to give everything in the struggle and died in it. Our memory and our full respect for those whose names we can not name because we do not know them.

We are Autonomen,
We are Ungovernable,
We are Action,
We do not forget our comrades,

Salut
Anonymous Anarchist Agency

https://twitter.com/CgAn_Doemela/status/1071135882986569728

Ergo Hacker Leaks Over 250,000 Records from Rio Grande do Sul Municipal Town Hall In Brasil

Earlier today, December 5th 2018, “Ergo Hacker of Pryzraky, Brasil announced a major hack and data leak of the Rio Grande Town Hall in Rio Grande do Sul, Brasil. In a translated message to the public, Ergo states that the “Data leakage from municipality of Rio Grande contains names, CPF, date and birth of +220,000 people, including over 30,000 vehicles, vehicle plate numbers, makes/models and ownership titles. Additionally, the data contained below “includes sensitive data on local pharmacies, organizations, tourism, schools, teachers and students.” Moreover, Ergo claims to have been able to hack the files attached to the Rio Grande Town Hall website through a misconfigured/unprotected php database which was left open/vulnerable to SQL Injection.

Website Effected: hxxp://riogrande.rs.gov.br
Raw Leak: https://ghostbin.com/paste/uoygr

File Download 1 (Veiculos/Vehicles): https://anonfile.com/deberfm5b8/veiculo_csv
File Download 2 (Pessoas/People): https://anonfile.com/dcg5r6m7bl/pessoa_csv
File Download 3 (Farmacia/Pharmacies): https://anonfile.com/zff2r3mfbe/item_csv
File Download 4 (Escola/Schools): https://anonfile.com/s7i0r6mab2/escola_csv

https://twitter.com/ergo_hacker/status/1070442134321459200?s=19

Knush Hacks Universidad Tecnológica Linares in Mexico

The hacker known as “Knush” announced his latest leak today, December 4th 2018, this time breaching the website belonging to the Universidad Tecnológica Linares in Mexico. While he did not disclose how he performed the hack, it’s suspected he was able to breach the site via SQL Injection. In the leak featured below, you will find the login credentials of 3 website administrators, allowing for access to 5 different site databases.

Website Effected: hxxp://utl.edu.mx/
Raw Full Leak: https://ghostbin.com/paste/xafac

No automatic alt text available.

https://twitter.com/Knushh/status/1069936011239714816