OpRussia: Difference between revisions
m (→Media Coverage) |
|||
(13 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
A lot of Russian based companies have been having their servers blown wide open and emails flying out all over the place for the world to read. Leaks nearing | A lot of Russian based companies have been having their servers blown wide open and emails flying out all over the place for the world to read. Leaks nearing ten MILLION files and continuing. The hacks have followed the Russia's invasion in Ukraine and the targets have included banks, government institutions, investment firms, power generation infrastructure, oil and mining companies, a weapons manufacturer in Belarus, as well as the Russian Orthodox Church. | ||
== Explanation of the Hack == | == Explanation of the Hack == | ||
Line 5: | Line 5: | ||
For Russia we realised that a lot of companies and organisations haven't yet fully patched their exchange servers and many are still vulnerable to proxyshell! We then went out and tried to find as many high profile targets who were vulnerable as possible and then leak their emails to ddosecrets [1]. | For Russia we realised that a lot of companies and organisations haven't yet fully patched their exchange servers and many are still vulnerable to proxyshell! We then went out and tried to find as many high profile targets who were vulnerable as possible and then leak their emails to ddosecrets [1]. | ||
For a lot of the Russian email leaks the recon process was: | For a lot (not all) of the Russian email leaks the recon process was: | ||
* 1. Shodan dorks: country:"RU", http.title:"outlook", http.title:"OWA", http.title:"Autodiscovery", http.title:"Microsoft Exchange" and then download the results | * 1. Shodan dorks: country:"RU", http.title:"outlook", http.title:"OWA", http.title:"Autodiscovery", http.title:"Microsoft Exchange", vuln:"cve-2021-34473" and then download the results. | ||
* 2. Parse out the IP's from the list: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file1 > file2 | * 2. Parse out the IP's from the list: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file1 > file2 | ||
* 3. Then parse out vulnerable to non-vulnerable, exploitable to non-exploitable: nmap --script http-vuln-exchange-proxyshell.nse -iL file2 -oA file3 -p 443 [ | * 3. Then parse out vulnerable to non-vulnerable, exploitable to non-exploitable: nmap --script http-vuln-exchange-proxyshell.nse -iL file2 -oA file3 -p 443 [2] | ||
From here we then used [ | From here we then used [3] to exploit the vulnerable servers and proceed with downloading as many if not all the emails as possible. The leaks will continue to be published until Russia has completely | ||
pulled out of Ukraine | pulled out of Ukraine! | ||
* [1] https://ddosecrets.com/wiki/Category:Russia | * [1] https://ddosecrets.com/wiki/Category:Russia | ||
* [2] https://github.com/ | * [2] https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse | ||
* [3] https://github.com/ | * [3] https://github.com/horizon3ai/proxyshell | ||
== Media Coverage == | == Media Coverage == | ||
* https://www.ibtimes.com/anonymous-breaches-top-russian-law-firm-global-clients-dumps-data-protected-attorney-3532738 | |||
* https://theintercept.com/2022/04/22/russia-hackers-leaked-data-ukraine-war/ | |||
* https://meduza.io/en/feature/2022/04/13/the-hunt-for-antimilitarism | |||
* https://www.pravda.com.ua/eng/news/2022/04/24/7341811/ | |||
* https://www.theverge.com/2022/4/22/23036079/russian-emails-leaked-ddosecrets | * https://www.theverge.com/2022/4/22/23036079/russian-emails-leaked-ddosecrets | ||
* https://www.ibtimes.com/anonymous-affiliate-nb65-hacks-russian-state-network-leaks-900000-emails-3461648 | * https://www.ibtimes.com/anonymous-affiliate-nb65-hacks-russian-state-network-leaks-900000-emails-3461648 | ||
* https://securityaffairs.co/wordpress/129576/hacktivism/anonymous-huge-data-dump.html | * https://securityaffairs.co/wordpress/129576/hacktivism/anonymous-huge-data-dump.html | ||
* https://www.ibtimes.com/anonymous-starts-huge-data-dump-will-blow-russia-away-leaks-rostproekt-emails-3452789 | * https://www.ibtimes.com/anonymous-starts-huge-data-dump-will-blow-russia-away-leaks-rostproekt-emails-3452789 | ||
* https://www.dailymail.co.uk/news/article-10692617/Anonymous-leaks-nearly-MILLION-Russian-state-media-emails.html | * https://www.dailymail.co.uk/news/article-10692617/Anonymous-leaks-nearly-MILLION-Russian-state-media-emails.html | ||
== Partners == | |||
* https://twitter.com/xxNB65 | |||
* https://twitter.com/DepaixPorteur | |||
* https://twitter.com/B00daMooda | |||
* https://twitter.com/wh1t3sh4d0w0x90 | |||
[[Category:Hacks]] | [[Category:Hacks]] | ||
[[Category:Cyberwar]] |
Latest revision as of 14:25, 9 June 2022
A lot of Russian based companies have been having their servers blown wide open and emails flying out all over the place for the world to read. Leaks nearing ten MILLION files and continuing. The hacks have followed the Russia's invasion in Ukraine and the targets have included banks, government institutions, investment firms, power generation infrastructure, oil and mining companies, a weapons manufacturer in Belarus, as well as the Russian Orthodox Church.
Explanation of the Hack
For Russia we realised that a lot of companies and organisations haven't yet fully patched their exchange servers and many are still vulnerable to proxyshell! We then went out and tried to find as many high profile targets who were vulnerable as possible and then leak their emails to ddosecrets [1].
For a lot (not all) of the Russian email leaks the recon process was:
- 1. Shodan dorks: country:"RU", http.title:"outlook", http.title:"OWA", http.title:"Autodiscovery", http.title:"Microsoft Exchange", vuln:"cve-2021-34473" and then download the results.
- 2. Parse out the IP's from the list: grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file1 > file2
- 3. Then parse out vulnerable to non-vulnerable, exploitable to non-exploitable: nmap --script http-vuln-exchange-proxyshell.nse -iL file2 -oA file3 -p 443 [2]
From here we then used [3] to exploit the vulnerable servers and proceed with downloading as many if not all the emails as possible. The leaks will continue to be published until Russia has completely pulled out of Ukraine!
- [1] https://ddosecrets.com/wiki/Category:Russia
- [2] https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse
- [3] https://github.com/horizon3ai/proxyshell
Media Coverage
- https://www.ibtimes.com/anonymous-breaches-top-russian-law-firm-global-clients-dumps-data-protected-attorney-3532738
- https://theintercept.com/2022/04/22/russia-hackers-leaked-data-ukraine-war/
- https://meduza.io/en/feature/2022/04/13/the-hunt-for-antimilitarism
- https://www.pravda.com.ua/eng/news/2022/04/24/7341811/
- https://www.theverge.com/2022/4/22/23036079/russian-emails-leaked-ddosecrets
- https://www.ibtimes.com/anonymous-affiliate-nb65-hacks-russian-state-network-leaks-900000-emails-3461648
- https://securityaffairs.co/wordpress/129576/hacktivism/anonymous-huge-data-dump.html
- https://www.ibtimes.com/anonymous-starts-huge-data-dump-will-blow-russia-away-leaks-rostproekt-emails-3452789
- https://www.dailymail.co.uk/news/article-10692617/Anonymous-leaks-nearly-MILLION-Russian-state-media-emails.html