Students and employees of the University of Virginia (UVa) may be scratching their heads today and wondering what UVa can or will do to secure its servers better. The university, which was hacked in 2012 by @AnonAntidote and again in 2013 by a former UVa student known as @R00tTh3B0x, has reportedly been hacked yet again – this time by @NullCrew_FTS, who have just now publicly admitted that they were @R00tTh3B0x.
As they have done in the past, on April 14, NullCrew tweeted a heads-up to UVa and some of the other entities they had targeted:
@UVA @KlasTelecom @Spokeo @ArmA2PC Six more days! #FuckTheSystem
— NullCrew (@NullCrew_FTS) April 14, 2014
@UVA @KlasTelecom @Spokeo @ArmA2PC Six more days! #FuckTheSystem
UVa’s social media team did not respond to the tweet on Twitter, and it’s unknown whether they forwarded the tweet to the university’s IT department. UVa did not respond to an email sent by DataBreaches.net last night asking them whether the social media team had alerted IT or security to the tweet.
The data dump was announced on Twitter by NullCrew early this morning:
#NullCrew #FuckTheSystem issue #5 is out! – http://t.co/RG5ekT7C4j – Enjoy, everyone; Happy 4/20!
— NullCrew (@NullCrew_FTS) April 20, 2014
In their preface to the linked data dump, Null Crew explains their actions:
#FuckTheSystem is generally aimed at the government, or anything that is corrupt; and that is the reason for these attacks.
Ranging from government contractors, to universities, to telecommunications compaines, to information databases, and other things.
They are all part of the system; and have failed examinations the first time arround; some of the attack methods may have been simple.. or the data not to complex.
But, it can still lead to things that they do not want; and it also costs them, therefore we have commited actual damage to this certain aspect of the system. In a way, we achieve our goal.
NullCrew also mocks the university for failure to adequately secure their server following the hack last year by @R00tTh3B0x:
Let’s start with security standards taken since the last break-in:
1) Disable word-press logins assuming that hackers have ONLY taken advantage of your out of date WP versions.
2) What, no number two? Why is that, NullCrew?Funny that you ask, the University Of Virginia, we were able to spawn a system() backdoor and skim through your files.
It’s also noticably laughable that the UVA IT Crew decides that everything is secure enough to host a good few other sites, with shared hosting.
Now, you can’t have all the goodies.. BUT: We will give you enough to tide you over.
Oh, and UVA? Secure your shit, or get owned over and over and over again; several of your subdomains are exploitable.
Not to mention that where it’s all shared, every website hosted by UVA?.. Whelp, root one, get them all.
Cursory inspection of the portion of the 10.8MB of files in the data dump relating to UVa indicates that with the exception of etc.txt, the files being dumped were taken in April 2013. So was this really a new hack or just a new dump of previously acquired data from last year? DataBreaches.net put the question to NullCrew, who noted that people.virginia.edu had been exploitable for about two years, although some of the backdoors they had into the system appear to have now been secured. They provided DataBreaches.net with proof of one backdoor with its command they claim they could still use as of today. To protect individuals’ privacy, DataBreaches.net has decided to delay publication of the exploit to give UVa a chance to address it, but will post it later as an update to this post.
The University of Virginia was just one of eight entities targeted by NullCrew, however. Others organizations include Spokeo, Telco Systems and BATM, Klas Telecom, the State of Indiana, National Credit Union, ArmA2, International Civil Aviation Organization (mentioned yesterday on this blog), and the Science and Technology Center of Ukraine (STCU). Many of the hacked sites involved administrator login credentials, and the STCU hack involved e-mail correspondence as well as files with first and last names and passwords, and another file with usernames and passwords.
Of these sites, only government contractor Klas Telecom seemingly responded to a warning tweet by investigating and addressing security issues, and notifying affected individuals.
It will take time to go through the 251MB data dump, and I’ll try to add some links to this post as others’ reports and analyses become available. Thankfully, though, it appears that consumers’ personal information from Spokeo was not dumped. NullCrew informs DataBreaches.net that they did not even attempt to access consumer personal information. What they did dump is a WordPress blog that contains communications to and from Spokeo customers and developers, as well as approximately two dozen administrator accounts with usernames, e-mail addresses and full names and encrypted passwords.
Update 1: I have gotten no responses yet to multiple attempts to reach UVa by email to their communications director and to their IT-Security department, although sources who prefer to remain anonymous tell me that UVa’s IT Security department is already in the loop and well aware. I am glad to hear that, although it would seem courteous for them to acknowledge my repeated efforts to notify them and give them a chance to secure their server. Because it’s not known to me whether they have actually addressed the specific exploit, I will continue to refrain from publishing it at this time.
In the interim, NullCrew has now dumped a second file that contains a listing of about 1 million files on virginia.edu. A quick skim of the 938,388 files suggests that the this listing was obtained within the past 24 hours as a referrer log for 20140419 was among the filenames.