GhostShell Haunts Websites With SQL Injection
Admin and user accounts from websites breached and posted online
A hacker gang claims to have leaked more than a million user accounts from some 100 websites worldwide, and its weapon of choice appears to mainly be good ol' SQL injection.
The GhostShell gang on Saturday posted online what it claims are accounts and records from various financial services, consulting firms, academia, law enforcement, and the CIA. "Team GhostShell's final form of protest this summer against the banks, politicians and for all the fallen hackers this year," the post said in part. "One million accounts/records leaked. We are also letting everyone know that more releases, collaborations with Anonymous and other, plus two more projects are still scheduled for this fall and winter. It's only the beginning."
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Innovations in Integration: Achieving Holistic Rapid Detection and Response
- Optimize Your SQL Environment for Performance & Flexibility
Researchers at Imperva say the attackers appear to have employed mostly SQL injection, but also exploited weak passwords and vulnerable content management systems. The attackers used the popular SQLmap tool, and some of the hacked databases included more than 30,000 records.
The attackers grabbed admin credentials, usernames and passwords, and files. "And the passwords show the usual ‘123456’ problem. However, one law firm implemented an interesting password system where the root password, ‘law321’ was pre-pended with your initials. So if your name is Mickey Mouse, your password is ‘mmlaw321’. Worse, the law firm didn’t require users to change the password," Rob Rachwald, director of security for Imperva said in a blog post last night.
Rachwald says many of the files came from CMS systems. "A very large portion of these files come from content management systems (CMS), which likely indicates that the hackers exploited the same CMS with a vulnerability in it that allowed a hacker to target it. However, a lot of the stolen content did NOT include any sensitive information," he says.
The main targets were banks, consulting firms, government agencies, and manufacturing companies, according to Imperva's findings.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.