OpRussia: Difference between revisions

From Enlace Hacktivista
Jump to navigation Jump to search
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
A lot of Russian based companies have been having their servers blown wide open and emails flying out all over the place for the world to read. Leaks nearing a MILLION plus and continues! When Russia made the decision to illegally enter another country hackers all around the world realised that Russia was fair game and the chances of prosecution for non-Russian hackers is next to non because who really cares if you hack a country widely known for hacking other countries and holing them for ransom in the sum of millions and killing untold amount of innocents in the country of Ukraine?
A lot of Russian based companies have been having their servers blown wide open and emails flying out all over the place for the world to read. Leaks nearing ten MILLION files and continuing. The hacks have followed the Russia's invasion in Ukraine and the targets have included banks, government institutions, investment firms, power generation infrastructure, oil and mining companies, a weapons manufacturer in Belarus, as well as the Russian Orthodox Church. 


== Explanation of the Hack ==
== Explanation of the Hack ==
Line 5: Line 5:
For Russia we realised that a lot of companies and organisations haven't yet fully patched their exchange servers and many are still vulnerable to proxyshell! We then went out and tried to find as many high profile targets who were vulnerable as possible and then leak their emails to ddosecrets [1].
For Russia we realised that a lot of companies and organisations haven't yet fully patched their exchange servers and many are still vulnerable to proxyshell! We then went out and tried to find as many high profile targets who were vulnerable as possible and then leak their emails to ddosecrets [1].


For a lot of the Russian email leaks the recon process was:
For a lot (not all) of the Russian email leaks the recon process was:


* 1. Shodan dorks: country:"RU", http.title:"outlook", http.title:"OWA", http.title:"Autodiscovery", http.title:"Microsoft Exchange" and then download the results (You may also search for the CVE).
* 1. Shodan dorks: country:"RU", http.title:"outlook", http.title:"OWA", http.title:"Autodiscovery", http.title:"Microsoft Exchange", vuln:"cve-2021-34473" and then download the results.
* 2. Parse out the IP's from the list: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file1 > file2
* 2. Parse out the IP's from the list: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file1 > file2
* 3. Then parse out vulnerable to non-vulnerable, exploitable to non-exploitable: nmap --script http-vuln-exchange-proxyshell.nse -iL target_list -oA vuln_output -p 443 [3]
* 3. Then parse out vulnerable to non-vulnerable, exploitable to non-exploitable: nmap --script http-vuln-exchange-proxyshell.nse -iL file2 -oA file3 -p 443 [2]


From here we then used [2] to exploit the vulnerable servers and proceed with downloading as many if not all emails as possible. The leaks will continue to be published until Russia has completely
From here we then used [3] to exploit the vulnerable servers and proceed with downloading as many if not all the emails as possible. The leaks will continue to be published until Russia has completely
pulled out of Ukraine.
pulled out of Ukraine!


* [1] https://ddosecrets.com/wiki/Category:Russia
* [1] https://ddosecrets.com/wiki/Category:Russia  
* [2] https://github.com/horizon3ai/proxyshell
* [2] https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse
* [3] https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse
* [3] https://github.com/horizon3ai/proxyshell


== Media Coverage ==
== Media Coverage ==


* https://www.ibtimes.com/anonymous-breaches-top-russian-law-firm-global-clients-dumps-data-protected-attorney-3532738
* https://theintercept.com/2022/04/22/russia-hackers-leaked-data-ukraine-war/
* https://meduza.io/en/feature/2022/04/13/the-hunt-for-antimilitarism
* https://www.pravda.com.ua/eng/news/2022/04/24/7341811/
* https://www.theverge.com/2022/4/22/23036079/russian-emails-leaked-ddosecrets
* https://www.theverge.com/2022/4/22/23036079/russian-emails-leaked-ddosecrets
* https://www.ibtimes.com/anonymous-affiliate-nb65-hacks-russian-state-network-leaks-900000-emails-3461648
* https://www.ibtimes.com/anonymous-affiliate-nb65-hacks-russian-state-network-leaks-900000-emails-3461648
* https://securityaffairs.co/wordpress/129576/hacktivism/anonymous-huge-data-dump.html
* https://securityaffairs.co/wordpress/129576/hacktivism/anonymous-huge-data-dump.html
* https://www.nytimes.com/2022/04/22/us/politics/hackers-russia-cyberattacks.html
* https://www.ibtimes.com/anonymous-starts-huge-data-dump-will-blow-russia-away-leaks-rostproekt-emails-3452789
* https://www.ibtimes.com/anonymous-starts-huge-data-dump-will-blow-russia-away-leaks-rostproekt-emails-3452789
* https://www.dailymail.co.uk/news/article-10692617/Anonymous-leaks-nearly-MILLION-Russian-state-media-emails.html
* https://www.dailymail.co.uk/news/article-10692617/Anonymous-leaks-nearly-MILLION-Russian-state-media-emails.html
== Partners ==
* https://twitter.com/xxNB65
* https://twitter.com/DepaixPorteur
* https://twitter.com/B00daMooda
* https://twitter.com/wh1t3sh4d0w0x90


[[Category:Hacks]]
[[Category:Hacks]]
[[Category:Cyberwar]]

Latest revision as of 14:25, 9 June 2022

A lot of Russian based companies have been having their servers blown wide open and emails flying out all over the place for the world to read. Leaks nearing ten MILLION files and continuing. The hacks have followed the Russia's invasion in Ukraine and the targets have included banks, government institutions, investment firms, power generation infrastructure, oil and mining companies, a weapons manufacturer in Belarus, as well as the Russian Orthodox Church.

Explanation of the Hack

For Russia we realised that a lot of companies and organisations haven't yet fully patched their exchange servers and many are still vulnerable to proxyshell! We then went out and tried to find as many high profile targets who were vulnerable as possible and then leak their emails to ddosecrets [1].

For a lot (not all) of the Russian email leaks the recon process was:

  • 1. Shodan dorks: country:"RU", http.title:"outlook", http.title:"OWA", http.title:"Autodiscovery", http.title:"Microsoft Exchange", vuln:"cve-2021-34473" and then download the results.
  • 2. Parse out the IP's from the list: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file1 > file2
  • 3. Then parse out vulnerable to non-vulnerable, exploitable to non-exploitable: nmap --script http-vuln-exchange-proxyshell.nse -iL file2 -oA file3 -p 443 [2]

From here we then used [3] to exploit the vulnerable servers and proceed with downloading as many if not all the emails as possible. The leaks will continue to be published until Russia has completely pulled out of Ukraine!

Media Coverage

Partners