Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Project Hellfire: Millions of Records Taken from Hundreds of Sites

Hacking group “Team GhostShell” has claimed credit for a massive leak of data, alleged to top more than a million records. However, the breach, while exposing some sensitive information, isn’t as bad as it seems, and it was entirely preventable.

Hacking group “Team GhostShell” has claimed credit for a massive leak of data, alleged to top more than a million records. However, the breach, while exposing some sensitive information, isn’t as bad as it seems, and it was entirely preventable.

Team GhostShell, along with two other associate groups, compromised hundreds of websites in what is being called Project Hellfire. The victims of Project Hellfire cover a wide range of verticals, from financial and law enforcement, to political and family owned businesses. The records taken from the victims however, range from sensitive to useless.

SQL Injection Attacks

Project Hellfire’s data dump contains thousands of email addresses, some of which can be paired with usernames and passwords. Moreover, there are phone numbers, home or business addresses, immigration status, and political affiliation records. However, while the headlines focus on the scope of the data leak, the reality is that a majority of the leaked data is useless to a novice criminal.

In fact, when SecurityWeek examined some of the leaked database dumps, many of them were exports of the entire website, meaning Team GhostShell leaked data that was already in the public eye. Overhyped blob of data aside, the fact remains that some sensitive information needlessly ended up in the wrong hands, and it was entirely preventable.

For example, a community association management firm, C.I.A. Services, is a consulting agency for business leaders. Clearly they wouldn’t be a target for GhostShell under any sort of activism stance, but they were targeted because a simple Google search would have pointed vulnerability seekers to their domain.

C.I.A. Services’ domain was discovered with a simple Google Dork, or – to keep things simple – a specialized search used in scouting for website vulnerabilities. In this case, the search term was obviously “index.php?id=” or a variant such as “*.php?id=” – both would enable a potential attacker to discover sites that could be vulnerable to SQL Injection or other website flaw.

Other victims of Project Hellfire showed up under the same search used to discover C.I.A. Services, including The Garret Group (financing firm for semiconductor sales), Commercial Bank of Wyomig, the GUE/NGL Group in the European Parliament (Confederal Group of the European United Left/Nordic Green Left), and Eman Travel and Tours (a family owned travel business).

There were others discovered by using similar searches, but the point is that the compromises were avoidable. When SecurityWeek examined the list of websites targeted by Project Hellfire, some of them were running homegrown Content Management Systems (CMS) applications, while others used outdated CMS software.

Advertisement. Scroll to continue reading.

In both cases, the lack of security allowed an attacker with a simple attack tool complete control over their domain. For a many of the businesses targeted, there is no reason this simplistic attack should have worked, as they should have protected their digital assets.

Based on the data leaked, many of the attacks used SQLMap, an open source SQL Injection tool used by penetration testers and criminals alike. If a site is vulnerable, as determined by the previously mentioned Google Dork, this tool will allow an attacker to target the domain and exploit it with a few keystrokes.

The lesson here is that websites are a portal into the organization, and it should be protected. While none of the sites hit during Project Hellfire are what most would consider high-profile, many of them are in the SMB segment, so there is no reason for such basic attacks to have succeeded.

A basic overview of two of the most common SQL Injection tools for testing and attacking can be seen here

Related: Botnets Powering Cyber Reconnaissance at Scale for Hackers

Related: Enhancing Security by Studying Common Attack Techniques

Related ReadingThe Most Prevalent Attack Techniques Used By Today’s Hackers

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.