Security Experts:

Project Hellfire: Millions of Records Taken from Hundreds of Sites

Hacking group "Team GhostShell" has claimed credit for a massive leak of data, alleged to top more than a million records. However, the breach, while exposing some sensitive information, isn’t as bad as it seems, and it was entirely preventable.

Team GhostShell, along with two other associate groups, compromised hundreds of websites in what is being called Project Hellfire. The victims of Project Hellfire cover a wide range of verticals, from financial and law enforcement, to political and family owned businesses. The records taken from the victims however, range from sensitive to useless.

SQL Injection Attacks

Project Hellfire’s data dump contains thousands of email addresses, some of which can be paired with usernames and passwords. Moreover, there are phone numbers, home or business addresses, immigration status, and political affiliation records. However, while the headlines focus on the scope of the data leak, the reality is that a majority of the leaked data is useless to a novice criminal.

In fact, when SecurityWeek examined some of the leaked database dumps, many of them were exports of the entire website, meaning Team GhostShell leaked data that was already in the public eye. Overhyped blob of data aside, the fact remains that some sensitive information needlessly ended up in the wrong hands, and it was entirely preventable.

For example, a community association management firm, C.I.A. Services, is a consulting agency for business leaders. Clearly they wouldn’t be a target for GhostShell under any sort of activism stance, but they were targeted because a simple Google search would have pointed vulnerability seekers to their domain.

C.I.A. Services’ domain was discovered with a simple Google Dork, or – to keep things simple – a specialized search used in scouting for website vulnerabilities. In this case, the search term was obviously “index.php?id=” or a variant such as “*.php?id=” – both would enable a potential attacker to discover sites that could be vulnerable to SQL Injection or other website flaw.

Other victims of Project Hellfire showed up under the same search used to discover C.I.A. Services, including The Garret Group (financing firm for semiconductor sales), Commercial Bank of Wyomig, the GUE/NGL Group in the European Parliament (Confederal Group of the European United Left/Nordic Green Left), and Eman Travel and Tours (a family owned travel business).

There were others discovered by using similar searches, but the point is that the compromises were avoidable. When SecurityWeek examined the list of websites targeted by Project Hellfire, some of them were running homegrown Content Management Systems (CMS) applications, while others used outdated CMS software.

In both cases, the lack of security allowed an attacker with a simple attack tool complete control over their domain. For a many of the businesses targeted, there is no reason this simplistic attack should have worked, as they should have protected their digital assets.

Based on the data leaked, many of the attacks used SQLMap, an open source SQL Injection tool used by penetration testers and criminals alike. If a site is vulnerable, as determined by the previously mentioned Google Dork, this tool will allow an attacker to target the domain and exploit it with a few keystrokes.

The lesson here is that websites are a portal into the organization, and it should be protected. While none of the sites hit during Project Hellfire are what most would consider high-profile, many of them are in the SMB segment, so there is no reason for such basic attacks to have succeeded.

A basic overview of two of the most common SQL Injection tools for testing and attacking can be seen here

Related: Botnets Powering Cyber Reconnaissance at Scale for Hackers

Related: Enhancing Security by Studying Common Attack Techniques

Related ReadingThe Most Prevalent Attack Techniques Used By Today's Hackers

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.
view counter