Nullcrew Compromises 9 Sites Including Spokeo and University of Virginia

On April 20th, the hacker group NullCrew announced the release of an electronic text-based magazine (e-zine) called “FTS Zine 5” which is a compilation of database information taken from nine different organizations, several that were already targeted in August 2013.

In the past, NullCrew has made a name for themselves with various breaches and by compromising a wide range of systems. For the past few months they have been working on gathering the data for the release of this e-zine which is one of their biggest releases to date. The e-zine’s release layout is very similar to older hacking group releases like “Hack the Planet”, loaded with high-profile targets that have been breached by way of what most would consider straight forward attacks.

The e-zine has been announced on NullCrew’s official Twitter account and details posted to pastebin with a link to the file sharing website MEGA. The MEGA file is a 258 megabyte compressed RAR file that contains contents from nine different targets ranging from universities, gaming servers, social sites, telecommunication companies, intelligence & research companies, as well as state governments.

The methods used in these attacks include local file inclusion (LFI), SQL injection, and even  stumbling upon a developer’s private server and taking advantage of the content within. Attacks like these are on the rise and this release provides a great example why organizations of all types and sizes must re-think the importance of information security.

The data released is mixed between each target, but as a whole contains login credentials, private encryption keys, password files, and in some cases the vulnerability or exploit used to carry out the attacks. Below is a summary of the compromised targets covered in the e-zine:

Klas

One of the more interesting disclosures included that occurred earlier this month comes from Klas, a telecom company that NullCrew had recently had been in contact with over the breach. Klas had even thanked them for pointing out the security flaws and offered to buy them a beer, but it did not stop NullCrew from adding the user accounts to the e-zine, which appear to be mostly military personnel.  You can read our interview with NullCrew about the Klas breach for more information.

UVA

The University of Virginia (UVA) has had a few incidents over the past couple years, and was not able to keep NullCrew out, as they have been successful in penetrating their systems and obtaining data. They have set sight on the university’s Internet technology servers, resulting in the dump of six database user tables from different subdomains as well as a DSA private key, a bunch of public SSH-RSA keys and a listing of close to one million files from their servers.  NullCrew also claims that they have had backdoors into UVA for over a year and that they were responsible for a previous breach from last year.

Spokeo

Spokeo is an interesting breach as it was carried out due to the lack of security that one of their developers had on a private server that contained a copy of the spokeo blog, which in turn allowed NullCrew to get access to the main blog as far back as January. The group defaced the blog and lifted the WordPress database leaving the administrator accounts and over 5,000 people’s emails, names, and comments exposed. Since Spokeo is a data aggregator and collects detailed information from white pages listings, public records and social networks there could be a fair amount of additional information also at risk.

Arma2

Arma II is an army game created by Bohemia Interactive. The web site, running Joomla! 1.5, for the game was breached leaving the site’s administrator credentials disclosed, as well as the possibility that up to three other game sites that run the same Joomla! system.

State Of Indiana

This breach is the only government site among the list. The breach was carried out using a local file inclusion (LFI) vulnerability that exposed a local configuration file allowing further access to the systems.

Telco Systems

The Telco Systems breach not only affected them, but also their parent company BATM Advanced Communications, with the release of a lot of user credentials from people associated with both companies.

National Credit Union

This breach isn’t as bad as many might suspect, as NullCrew doesn’t appear to have made any malicious changes or taken any sensitive data that could cause any financial impact for people. However, they have dumped many user accounts of administrators from various forums, content management systems, and WordPress installations affiliated with the organization.

Science and Technology Center in Ukraine

The STCU was formed to assist former WMD experts in the transition to self-supporting, peaceful activities in the international science and business communities. The attack on this site was carried out using a time-based SQL injection attack, resulting in data leakage from the system. Almost 1,000 user accounts with users emails and encrypted passwords were leaked and this represents one of the largest sections as it includes the complete inbox, spam, sent and trash mail spools of the webmaster.

International Civil Aviation Organization – ICAO

The International Civil Aviation Organization (ICAO) is a UN specialized agency created in 1944. The breach of this site was carried out in two stages; the first involved SQL injection, and the second used a remote file access issue. This lead to the leaking of data from the ICAO systems containing phpMyAdmin credentials, FTP logs, SSH logs, as well as other system information.

NullCrew has been busy and it seems that they will continue to be very active. One thing we can all learn from this attacks and the disclosed data is that using outdated and unpatched software or allowing developers to hold private information on Internet accessible development servers will lead to serious issues. A more detailed summary of the data will be released shortly.