From Enlace Hacktivista
Jump to navigation Jump to search

A lot of Russian based companies have been having their servers blown wide open and emails flying out all over the place for the world to read. Leaks nearing ten MILLION files and continuing. The hacks have followed the Russia's invasion in Ukraine and the targets have included banks, government institutions, investment firms, power generation infrastructure, oil and mining companies, a weapons manufacturer in Belarus, as well as the Russian Orthodox Church.

Explanation of the Hack

For Russia we realised that a lot of companies and organisations haven't yet fully patched their exchange servers and many are still vulnerable to proxyshell! We then went out and tried to find as many high profile targets who were vulnerable as possible and then leak their emails to ddosecrets [1].

For a lot (not all) of the Russian email leaks the recon process was:

  • 1. Shodan dorks: country:"RU", http.title:"outlook", http.title:"OWA", http.title:"Autodiscovery", http.title:"Microsoft Exchange", vuln:"cve-2021-34473" and then download the results.
  • 2. Parse out the IP's from the list: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file1 > file2
  • 3. Then parse out vulnerable to non-vulnerable, exploitable to non-exploitable: nmap --script http-vuln-exchange-proxyshell.nse -iL file2 -oA file3 -p 443 [2]

From here we then used [3] to exploit the vulnerable servers and proceed with downloading as many if not all the emails as possible. The leaks will continue to be published until Russia has completely pulled out of Ukraine!

Media Coverage