On April 6th, a twitter account using the name Cyber Justice Team posted a tweet suggesting a major hack of a Syrian governmental server had taken place and 10GB of data had been leaked as a result.
The leak includes the password file from the breached server, along with MySQL host permissions, admin passwords, and a link to the 10GB compressed file, uploaded to the file sharing site MEGA.
Analysis of the leaked data was a challenging task, thanks to both the amount of information and lack of organization for the database files. That said, our analysis shows the data appears to originate from nans.gov.sy, the Nation Agency for Network Services, and contains data from 55 Syrian domains, 25 of which being .gov.sy: 2 .org.sy; 1 com.sy and the remainder with the generic .sy. Most of the domains affected in the breach are either inactive or older domains that are no longer in use. Very few of the domains appear to be of some importance to the people of Syria.
The first pass at reviewing the data sparked a sense of some more deja vu, as many of the files appeared to include domains from previous, smaller defacements and leaks. Further analysis confirmed our initial suspicions. The leak included many older shell files and database entries showing prior injection attempts. After extracting all packages, there are a total of 134 files, 57 of them being .tar.gz files. After extracting data from these 57 files, the total for the leak comes in at:
43.1GB,The data leaked is mainly default Plesk files, Joomla! setups, and Cportal (phpnuke-cms) setups from each of the below hosts. Each host also contains the file structure of a default vhost setup.
274,477 files;
over 38,768 folders.
In an interesting twist to the story, the main CPortal community website is currently throwing out database errors, disclosing the full path.
One can’t help but wonder why governments around the world continue to use these types of web portals. Clearly they have become very easy targets for anyone looking to test their hacking skills. These sites are known to be vulnerable and make for fertile ground for budding hackers that want to try their luck against an easy target, particular if an organization is not staying up to date on vulnerabilities disclosed.
It appears that the Nation Agency for Network Services is running Joomla!, which is no stranger to its own vulnerabilities. While there have been no vulnerabilities discussed in 2016 yet (just third-party modules for it), in VulnDB we tracked a total of 127 vulnerabilities historically, with 20 of them in 2015. On average we see that Joomla! has vulnerabilities disclosed about every 60 days.
More suspicious minds might wonder if these insecure websites that keep resurfacing are used as honeypots by the Syrian government as a method to gather intelligence on those who are attempting to breach their networks.
After reaching out to cyber Justice Team we are able to confirm they are the party behind this latest hack and leak of data.
Analysis of the leak is ongoing. To date, we can share the following summary of the 55 impacted domains known to be implicated in the breach:
agri-idlb.syriskbasedsecurity
albasselfair.gov.sy Al Bassel Seventeenth Fair For Invention and Innovation
alepelec.sy
aleppochamber.sy Aleppo Chamber of Commerce
alfalahen.org.sy
almouwasat.sy Al-Mouasat University Hospital
arabic-ti.sy
arabunionre.sy ARAB UNION REINSURANCE.CO
aryan.sy Primer Establishment for Chemical and Detergent Industries
baathparty.sy Arab Socialist Baath Party
baniashosp.sy
birrsociety.org.sy Ber Society and social services
brc.sy Banias Refinery Company
competition.gov.sy Syria competition commission
damasdh.sy Damascus Health Directorate
dcip.gov.sy Commercial and Industrial Property Protection Directorate
deirezzor.gov.sy The official site of the General Secretariat of the province of deirezzor
dz-water.gov.sy General Organization for Potable Water and Sanitation Dezhou City
edpa.gov.sy Development and Export Promotion Authority
egov.sy Syrian eGovernment portal
gcb.gov.sy
gcbc.sy General Company for the construction and reconstruction
geci.gov.sy General Establishment for Chemical Industries
gppc-aleppo.sy
hama.org.sy Hama City Council
hamaelc.gov.sy The official site of the General Company for Electricity Hama
hamagsc.gov.sy
hec.gov.sy Homs Electric Company
ic-homs.sy Industrial and residential city in Hsia
icit.sy
industrialbank.gov.sy Industrial Bank
itradecp-sweida.gov.sy Itradecp-Sweida
jablehsy.com.sy AL SAHEL SPINNING COMPANY
jpic.gov.sy SPECIAL judicial investigation
latwater.sy General Organization for Potable Water and Sanitation in latwater
Mashroue.sy
mitcp.gov.sy Ministry of Domestic Trade and Consumer Protectio
moaar.gov.sy The Ministry of Agriculture and Agrarian Reform
mofsyr.gov.sy Syrian Ministry of Higher Education
mopmr.gov.sy Ministry of Oil and Mineral Resources – Home
mopw.gov.sy Ministry of Public Works
mot.gov.sy The Ministry of Transport
nans.gov.sy Nation Agency for Network Services
nans1.nans.gov.sy Nation Agency for Network Services
ncbt.gov.sy General Authority for Biotechnology
nerc.gov.sy National Energy Research Center
nmc.sy NMC • Home
nnhas.sy
omayad.sy Omayad Paints – Paints illiteracy
oti.sy Organization of Technological Industries
oumc.gov.sy Middle State Company for internal Clothing
peeg.gov.sy PEEG public institution to generate electricity
pministry.gov.sy the cabinet of syria
rand.sy Rand Service Provider