April 8, 2016 • RBS

Categories: Security News

On April 6th, a twitter account using the name Cyber Justice Team posted a tweet suggesting a major hack of a Syrian governmental server had taken place and 10GB of data had been leaked as a result. The leak includes the password file from the breached server, along with MySQL host permissions, admin passwords, and a link to the 10GB compressed file, uploaded to the file sharing site MEGA.  

CyberJustice Tweet1

Analysis of the leaked data was a challenging task, thanks to both the amount of information and lack of organization for the database files. That said, our analysis shows the data appears to originate from, the Nation Agency for Network Services, and contains data from 55 Syrian domains, 25 of which being 2; 1 and the remainder with the generic .sy. Most of the domains affected in the breach are either inactive or older domains that are no longer in use. Very few of the domains appear to be of some importance to the people of Syria. 

The first pass at reviewing the data sparked a sense of some more deja vu, as many of the files appeared to include domains from previous, smaller defacements and leaks. Further analysis confirmed our initial suspicions. The leak included many older shell files and database entries showing prior injection attempts. After extracting all packages, there are a total of 134 files, 57 of them being .tar.gz files. After extracting data from these 57 files, the total for the leak comes in at:

43.1GB, 274,477 files; over 38,768 folders.

The data leaked is mainly default Plesk files, Joomla! setups, and Cportal (phpnuke-cms) setups from each of the below hosts. Each host also contains the file structure of a default vhost setup. In an interesting twist to the story, the main CPortal community website is currently throwing out database errors, disclosing the full path.

CyberJustice - Cpanel Errors

One can’t help but wonder why governments around the world continue to use these types of web portals. Clearly they have become very easy targets for anyone looking to test their hacking skills. These sites are known to be vulnerable and make for fertile ground for budding hackers that want to try their luck against an easy target, particular if an organization is not staying up to date on vulnerabilities disclosed. It appears that the Nation Agency for Network Services is running Joomla!, which is no stranger to its own vulnerabilities.  While there have been no vulnerabilities discussed in 2016 yet (just third-party modules for it), in VulnDB we tracked a total of 127 vulnerabilities historically, with 20 of them in 2015. On average we see that Joomla! has vulnerabilities disclosed about every 60 days.

Joomla-vulns over time

More suspicious minds might wonder if these insecure websites that keep resurfacing are used as honeypots by the Syrian government as a method to gather intelligence on those who are attempting to breach their networks. After reaching out to cyber Justice Team we are able to confirm they are the party behind this latest hack and leak of data. Analysis of the leak is ongoing. To date, we can share the following summary of the 55 impacted domains known to be implicated in the breach: Al Bassel Seventeenth Fair For Invention and Aleppo Chamber of Al-Mouasat University Hospital ARAB UNION Primer Establishment for Chemical and Detergent Arab Socialist Baath Party Ber Society and social services brc.syBanias Refinery Syria competition Damascus Health Commercial and Industrial Property Protection The official site of the General Secretariat of the province of deirezzor Organization for Potable Water and Sanitation Dezhou City and Export Promotion Authority egov.sySyrian eGovernment General Company for the construction and reconstruction Establishment for Chemical Industries Hama City Council official site of the General Company for Electricity Hama Electric Company Industrial and residential city in Hsia Bank Itradecp-Sweida AL SAHEL SPINNING SPECIAL judicial investigation latwater.syGeneral Organization for Potable Water and Sanitation in latwater Ministry of Domestic Trade and Consumer The Ministry of Agriculture and Agrarian Reform Syrian Ministry of Higher Ministry of Oil and Mineral Resources – Home Ministry of Public Works Ministry of Nation Agency for Network Nation Agency for Network General Authority for National Energy Research Center nmc.syNMC • Home Omayad Paints – Paints illiteracy oti.syOrganization of Technological Middle State Company for internal Clothing PEEG public institution to generate electricity  the cabinet of syria rand.syRand Service Provider

Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more