Cyber Justice Team Makes A Statement With Massive Data Leak

April 08, 2016 By Risk Based Security

CyberJustice Twitter LogoOn April 6th, a twitter account using the name Cyber Justice Team posted a tweet suggesting a major hack of a Syrian governmental server had taken place and 10GB of data had been leaked as a result.

The leak includes the password file from the breached server, along with MySQL host permissions, admin passwords, and a link to the 10GB compressed file, uploaded to the file sharing site MEGA.

 

CyberJustice Tweet1

Analysis of the leaked data was a challenging task, thanks to both the amount of information and lack of organization for the database files. That said, our analysis shows the data appears to originate from nans.gov.sy, the Nation Agency for Network Services, and contains data from 55 Syrian domains, 25 of which being .gov.sy: 2 .org.sy; 1 com.sy and the remainder with the generic .sy. Most of the domains affected in the breach are either inactive or older domains that are no longer in use. Very few of the domains appear to be of some importance to the people of Syria.

The first pass at reviewing the data sparked a sense of some more deja vu, as many of the files appeared to include domains from previous, smaller defacements and leaks. Further analysis confirmed our initial suspicions. The leak included many older shell files and database entries showing prior injection attempts. After extracting all packages, there are a total of 134 files, 57 of them being .tar.gz files. After extracting data from these 57 files, the total for the leak comes in at:

43.1GB,

274,477 files;

over 38,768 folders.

The data leaked is mainly default Plesk files, Joomla! setups, and Cportal (phpnuke-cms) setups from each of the below hosts. Each host also contains the file structure of a default vhost setup.

In an interesting twist to the story, the main CPortal community website is currently throwing out database errors, disclosing the full path.

CyberJustice - Cpanel Errors

One can’t help but wonder why governments around the world continue to use these types of web portals. Clearly they have become very easy targets for anyone looking to test their hacking skills. These sites are known to be vulnerable and make for fertile ground for budding hackers that want to try their luck against an easy target, particular if an organization is not staying up to date on vulnerabilities disclosed.

It appears that the Nation Agency for Network Services is running Joomla!, which is no stranger to its own vulnerabilities. While there have been no vulnerabilities discussed in 2016 yet (just third-party modules for it), in VulnDB we tracked a total of 127 vulnerabilities historically, with 20 of them in 2015. On average we see that Joomla! has vulnerabilities disclosed about every 60 days.

Joomla-vulns over time
More suspicious minds might wonder if these insecure websites that keep resurfacing are used as honeypots by the Syrian government as a method to gather intelligence on those who are attempting to breach their networks.

After reaching out to cyber Justice Team we are able to confirm they are the party behind this latest hack and leak of data.

Analysis of the leak is ongoing. To date, we can share the following summary of the 55 impacted domains known to be implicated in the breach:

agri-idlb.sy

albasselfair.gov.sy Al Bassel Seventeenth Fair For Invention and Innovation

alepelec.sy

aleppochamber.sy Aleppo Chamber of Commerce

alfalahen.org.sy

almouwasat.sy Al-Mouasat University Hospital

arabic-ti.sy

arabunionre.sy ARAB UNION REINSURANCE.CO

aryan.sy Primer Establishment for Chemical and Detergent Industries

baathparty.sy Arab Socialist Baath Party

baniashosp.sy

birrsociety.org.sy Ber Society and social services

brc.sy Banias Refinery Company

competition.gov.sy Syria competition commission

damasdh.sy Damascus Health Directorate

dcip.gov.sy Commercial and Industrial Property Protection Directorate

deirezzor.gov.sy The official site of the General Secretariat of the province of deirezzor

dz-water.gov.sy General Organization for Potable Water and Sanitation Dezhou City

edpa.gov.sy Development and Export Promotion Authority

egov.sy Syrian eGovernment portal

gcb.gov.sy

gcbc.sy General Company for the construction and reconstruction

geci.gov.sy General Establishment for Chemical Industries

gppc-aleppo.sy

hama.org.sy Hama City Council

hamaelc.gov.sy The official site of the General Company for Electricity Hama

hamagsc.gov.sy

hec.gov.sy Homs Electric Company

ic-homs.sy Industrial and residential city in Hsia

icit.sy

industrialbank.gov.sy Industrial Bank

itradecp-sweida.gov.sy Itradecp-Sweida

jablehsy.com.sy AL SAHEL SPINNING COMPANY

jpic.gov.sy SPECIAL judicial investigation

latwater.sy General Organization for Potable Water and Sanitation in latwater

Mashroue.sy

mitcp.gov.sy Ministry of Domestic Trade and Consumer Protectio

moaar.gov.sy The Ministry of Agriculture and Agrarian Reform

mofsyr.gov.sy Syrian Ministry of Higher Education

mopmr.gov.sy Ministry of Oil and Mineral Resources - Home

mopw.gov.sy Ministry of Public Works

mot.gov.sy The Ministry of Transport

nans.gov.sy Nation Agency for Network Services

nans1.nans.gov.sy Nation Agency for Network Services

ncbt.gov.sy General Authority for Biotechnology

nerc.gov.sy National Energy Research Center

nmc.sy NMC • Home

nnhas.sy

omayad.sy Omayad Paints - Paints illiteracy

oti.sy Organization of Technological Industries

oumc.gov.sy Middle State Company for internal Clothing

peeg.gov.sy PEEG public institution to generate electricity

pministry.gov.sy the cabinet of syria

rand.sy Rand Service Provider

Filed Under: Data Breaches, News

Subscribe to Email Updates