Attacks/Breaches
8/28/2012
06:42 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

GhostShell Haunts Websites With SQL Injection

Admin and user accounts from websites breached and posted online

A hacker gang claims to have leaked more than a million user accounts from some 100 websites worldwide, and its weapon of choice appears to mainly be good ol' SQL injection.

The GhostShell gang on Saturday posted online what it claims are accounts and records from various financial services, consulting firms, academia, law enforcement, and the CIA. "Team GhostShell's final form of protest this summer against the banks, politicians and for all the fallen hackers this year," the post said in part. "One million accounts/records leaked. We are also letting everyone know that more releases, collaborations with Anonymous and other, plus two more projects are still scheduled for this fall and winter. It's only the beginning."

Researchers at Imperva say the attackers appear to have employed mostly SQL injection, but also exploited weak passwords and vulnerable content management systems. The attackers used the popular SQLmap tool, and some of the hacked databases included more than 30,000 records.

The attackers grabbed admin credentials, usernames and passwords, and files. "And the passwords show the usual ‘123456’ problem. However, one law firm implemented an interesting password system where the root password, ‘law321’ was pre-pended with your initials. So if your name is Mickey Mouse, your password is ‘mmlaw321’. Worse, the law firm didn’t require users to change the password," Rob Rachwald, director of security for Imperva said in a blog post last night.

Rachwald says many of the files came from CMS systems. "A very large portion of these files come from content management systems (CMS), which likely indicates that the hackers exploited the same CMS with a vulnerability in it that allowed a hacker to target it. However, a lot of the stolen content did NOT include any sensitive information," he says.

The main targets were banks, consulting firms, government agencies, and manufacturing companies, according to Imperva's findings.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sectorx
50%
50%
sectorx,
User Rank: Apprentice
8/29/2012 | 11:03:17 PM
re: GhostShell Haunts Websites With SQL Injection
I am not for or against their cause but from a security posture perspective this is the entire reason why firms need to be engaging in what cenzic calls

Continuous Proactive Security-á

Companies need to wake up as its no longer about check box compliance, its about being proactive both in your application firewalls to running assessments.-á

Measuring Risk based on reputation, damage control, and data loss, or financial loss is only one part of the problem because at some point people's lives will be at risk.-á
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web