Massive Syrian Government Hack All Down to Joomla

Written by

The Cyber Justice Team has taken responsibility for a big hack of Syrian government networks, which resulted in a massive 43GB data leak online.

But what's really to blame is the CMS the regime appears to favor.

The hack, which took place on April 6, was originally said to consist of 10GB of sensitive data—but the volume ballooned once the data was decompressed. In all, there are 274,000 files from 55 national and private Syrian website domains—half of which are government domains. This is not a small amount of data.

The Cyber Justice Team, despite having a name that Stan Lee would certainly approve of, is a hacktivist group that protests the Assad government as well as  ISIS, for oppressing the Syrian people. “Assad and ISIS both trying to destroy Syrian Revolution, both killers of the Syrian people,” the group tweeted just after the hack. It also noted that it had deleted any files having to do with the government-run education system and the children’s hospital, presumably to avoid exposing sensitive information about civilians.

As Risk Based Security (RBS) noted in an analysis, the data dump was posted publicly online at Pastebin and contained server passwords along with MySQL host permissions and admin passwords. It appears to be comprised of a number of past breaches as well as new ones, as many of the files appeared to include domains from previous, smaller defacements and leaks. Further analysis confirmed that the leak included many older shell files and database entries showing prior injection attempts.

The hackers were able to obtain the information by exploiting known and outdated vulnerabilities in the web portals being used—specifically, in Joomla.

“It appears that the Nation Agency for Network Services is running Joomla!, which is no stranger to its own vulnerabilities,” RBS said. “While there have been no vulnerabilities discussed in 2016 yet (just third-party modules for it), in VulnDB we tracked a total of 127 vulnerabilities historically, with 20 of them in 2015. On average we see that Joomla! has vulnerabilities disclosed about every 60 days.”

The researchers noted that regardless of one’s political affiliations, the fact that a nation-state would be so cavalier with its security is a bit disturbing—even though many of the files don’t contain anything compromising.

“One can’t help but wonder why governments around the world continue to use these types of web portals,” the researchers said. “Clearly they have become very easy targets for anyone looking to test their hacking skills. These sites are known to be vulnerable and make for fertile ground for budding hackers that want to try their luck against an easy target, particularly if an organization is not staying up to date on vulnerabilities disclosed.”

Photo © danielo

What’s hot on Infosecurity Magazine?