Operation Ghost Click snares 'international cyber bandits'
Operation Ghost Click snares 'international cyber bandits'

Up to a million user credentials have been exposed online by the hacker group GhostShell after it cracked a series of content management systems (CMS).

According to research by Imperva, the attack was "payback for law enforcement arresting hackers", as the victims included government agencies, and also banks and consultancies. Speaking to SC Magazine, Rob Rachwald, director of security strategy at Imperva, said that GhostShell was an affiliate of Anonymous and the attack was most likely done with the SQLmap tool to infiltrate via SQL injection vulnerabilities.

He said: “We did a sample set to see what it looked like, and we checked the data and it was legitimate in terms of this breach. There is no way to check all of the numbers but some of the databases contained more than 30,000 records, and up to one million have been breached.”

Rachwald said that multiple CMSs were attacked because of the flaw, and data and files were taken. He also said that administrator login information was taken, as well as usernames and passwords. In terms of the files and documents, he said that a lot of the stolen content did not include any sensitive information.

Rachwald said that it was hard to know why these specific sectors were targeted so randomly, but that the SQLmap tool may have been used to find out which systems were vulnerable.

Team GhostShell are understood to be operating a hacking campaign titled 'Project HellFire'. Along with the attack and data dump, it published a message where it claimed it was collaborating with Anonymous.

In the message, GhostShell explained that the attack was a form of protest against financial institutions and lawmakers, as well as authorities who arrested hackers this year. The group also announced that more attacks were planned.

The message read: “We are also letting everyone know that more releases, collaborations with Anonymous and others, plus two more projects, are still scheduled for this fall and winter. It's only the beginning.”

Rachwald said that one revelation from the leaked data was that a law firm had implemented an interesting password system where the root password was 'law321' and was prefixed with the user's initials, so in his case the password would be 'rrlaw321' and the law firm did not require users to change the password.