Cyber Justice Team Makes A Statement With Massive Data Leak

April 08, 2016 By Risk Based Security

CyberJustice Twitter LogoOn April 6th, a twitter account using the name Cyber Justice Team posted a tweet suggesting a major hack of a Syrian governmental server had taken place and 10GB of data had been leaked as a result.

The leak includes the password file from the breached server, along with MySQL host permissions, admin passwords, and a link to the 10GB compressed file, uploaded to the file sharing site MEGA.


CyberJustice Tweet1

Analysis of the leaked data was a challenging task, thanks to both the amount of information and lack of organization for the database files. That said, our analysis shows the data appears to originate from, the Nation Agency for Network Services, and contains data from 55 Syrian domains, 25 of which being 2; 1 and the remainder with the generic .sy. Most of the domains affected in the breach are either inactive or older domains that are no longer in use. Very few of the domains appear to be of some importance to the people of Syria.

The first pass at reviewing the data sparked a sense of some more deja vu, as many of the files appeared to include domains from previous, smaller defacements and leaks. Further analysis confirmed our initial suspicions. The leak included many older shell files and database entries showing prior injection attempts. After extracting all packages, there are a total of 134 files, 57 of them being .tar.gz files. After extracting data from these 57 files, the total for the leak comes in at:


274,477 files;

over 38,768 folders.

The data leaked is mainly default Plesk files, Joomla! setups, and Cportal (phpnuke-cms) setups from each of the below hosts. Each host also contains the file structure of a default vhost setup.

In an interesting twist to the story, the main CPortal community website is currently throwing out database errors, disclosing the full path.

CyberJustice - Cpanel Errors

One can’t help but wonder why governments around the world continue to use these types of web portals. Clearly they have become very easy targets for anyone looking to test their hacking skills. These sites are known to be vulnerable and make for fertile ground for budding hackers that want to try their luck against an easy target, particular if an organization is not staying up to date on vulnerabilities disclosed.

It appears that the Nation Agency for Network Services is running Joomla!, which is no stranger to its own vulnerabilities. While there have been no vulnerabilities discussed in 2016 yet (just third-party modules for it), in VulnDB we tracked a total of 127 vulnerabilities historically, with 20 of them in 2015. On average we see that Joomla! has vulnerabilities disclosed about every 60 days.

Joomla-vulns over time
More suspicious minds might wonder if these insecure websites that keep resurfacing are used as honeypots by the Syrian government as a method to gather intelligence on those who are attempting to breach their networks.

After reaching out to cyber Justice Team we are able to confirm they are the party behind this latest hack and leak of data.

Analysis of the leak is ongoing. To date, we can share the following summary of the 55 impacted domains known to be implicated in the breach: Al Bassel Seventeenth Fair For Invention and Innovation Aleppo Chamber of Commerce Al-Mouasat University Hospital ARAB UNION REINSURANCE.CO Primer Establishment for Chemical and Detergent Industries Arab Socialist Baath Party Ber Society and social services Banias Refinery Company Syria competition commission Damascus Health Directorate Commercial and Industrial Property Protection Directorate The official site of the General Secretariat of the province of deirezzor General Organization for Potable Water and Sanitation Dezhou City Development and Export Promotion Authority Syrian eGovernment portal General Company for the construction and reconstruction General Establishment for Chemical Industries Hama City Council The official site of the General Company for Electricity Hama Homs Electric Company Industrial and residential city in Hsia Industrial Bank Itradecp-Sweida AL SAHEL SPINNING COMPANY SPECIAL judicial investigation General Organization for Potable Water and Sanitation in latwater Ministry of Domestic Trade and Consumer Protectio The Ministry of Agriculture and Agrarian Reform Syrian Ministry of Higher Education Ministry of Oil and Mineral Resources - Home Ministry of Public Works The Ministry of Transport Nation Agency for Network Services Nation Agency for Network Services General Authority for Biotechnology National Energy Research Center NMC • Home Omayad Paints - Paints illiteracy Organization of Technological Industries Middle State Company for internal Clothing PEEG public institution to generate electricity the cabinet of syria Rand Service Provider

Filed Under: Data Breaches, News

Subscribe to Email Updates