[BreachExchange] GhostShell Is Back Exposing Open FTP Directories

[Audrey McNeil]

https://www.riskbasedsecurity.com/2016/05/ghostshell-is-back-exposing-open-ftp-directories/

A few months ago, an established hacker known at the time only as
GhostShell proceeded to dox himself. The move was done in what appeared to
be the hope of obtaining legitimate work and ending the run of data
breaches that he committed over the years.

GhostShell, also now known as 24 year old Razvan Eugen Gheorghe, today
announced a new leak of data under the title of Light Hacktivism.

He makes the statement that this leak is an appetizer and that there is
much more to come in the near future. Light Hacktivism in his view is an
attempt to raise awareness of older FTP directories that are left open on
Internet, containing credentials and confidential documents.

The leaked data and a short message, reproduced below, was posted to
Pastebin:

"This is me raising awareness to the on-going open FTP directories that
still plague the net even after all these decades. Despite warnings in the
past about the dangers posed by leaving your ports open and unprotected,
netizens small and large are still paying no attention to it effectively
leaving their networks unprotected to even the newbies of this industry.

"I’ve comprised a list of targets that range across the field, from
government, educational, medical, industrial, retail, personal and many
others. Since I wanted to clear and taken serious about this I have leaked
some credit cards information, however it is recently expired, however I am
willing to prove more in private to any researcher out there that even
CC/CCv is stored in plaintext on open ports. Medical data is also present
but it has been censored, the sensitive stuff. Still, accounts – usernames,
password are present. Personal identities, names, addresses, phone numbers
etc. are also there.

"Never underestimate the most simple vulnerabilities out there as they
often time end up being anyone’s downfall. Light Hacktivism is about
finding and exposing those vulnerabilities to the public so that they can
be patched.

"Millions of people at risk everyday due to sheer laziness and
incompetence."

Shortly before the leak was posted, Razvan hinted that something was about
to happen because “local and US feds” handling his case have the weekend
off.  At time of this post, RBS was not aware of a confirmed case against
Razvan.

The Light Hacktivism leak is a similar style and format as to what we we
have seen in the past from Razvan.  It is comprised of data collected from
30 unique sites and contains varying types of data including credit card
details, user name and email combinations some with and without encryption.
All together, we have detected 1,181 unique email addresses from 521
different providers. A large portion of the affected sites appear to be
data from educational institutions which have been open on the Internet for
some time.

One part of Razvan’s message that caught our eye, was the mention of a
potential larger impact of compromised medical data.  Razvan states:

“Medical data is also present but it has been censored, the sensitive
stuff.”

It’s has been well documented over the past couple years that medical data
and devices are becoming more of a target for cyber criminals.   The
problem is already so much of an issue that, in many cases, confidential
medical data is being left wide open on the Internet, resulting in a
situation where the impact is potentially much greater than a typical data
breach.

While it seemed that Razvan was “retired”, this new leak appears to show
that he is back as he mentions that we should expect the usual leaks from
him in the near future.  If past experience is any indication of what to
expect, then we will most likely see a large amount of data being posted in
bulk affecting many, many more sites.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160516/6ac4d819/attachment.html>