Analyzing the Team GhostShell Attacks

Sqlmap

Why did they do it?  They claim it was payback for law enforcement arresting hackers.

How did they do it?  Mostly via SQL injection.  Looking at the data dumps reveals the use of the tool SQLmap, one of two main SQL injection tools typically deployed by hackers.   Here’s a picture from one of the data dumps showing SQLmap:

For more on these tools, click here.

How much data was taken?  Hard to count and verify.  Some of the breached databases contained more than 30,000 records.

What type of data was taken?

  • Admin login info.
  • Username/passwords.  And the passwords show the usual ‘123456’ problem.  However, one law firm implemented an interesting password system where the root password, ‘law321’ was pre-pended with your initials.  So if your name is Mickey Mouse, your password is ‘mmlaw321’.   Worse, the law firm didn’t require users to change the password.  Jeenyus!
  • Files/documents.  A very large portion of these files come from content management systems (CMS) which likely indicates that the hackers exploited the same CMS with a vulnerability in it that allowed a hacker to target it.  However, a lot of the stolen content did NOT include any sensitive information.

Who was targeted?

  • Banks—Credit history and current standing is a very noticeable part of the data stolen.
  • Consulting firms
  • Government agencies
  • Manufacturing firms.