Cyber Incident Victim: saifa.ir
Date:
Dec 2015
Location:
Iran
Summary
ap3x h4x0r from the Anonsec collective hacks saifa.ir and dumps 11,792 records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the 4th of December 2015, a significant cyber incident occurred, involving the website saifa.ir. The attack was attributed to an individual known as "ap3x h4x0r." The primary technique employed in this incident was "Exfiltration from Application Server." This report provides a detailed account of the events surrounding this incident.
Saifa.ir was the target of this cyber incident. It is pertinent to note that saifa.ir was associated with an online advertisement that promoted SQL and XSS vulnerabilities with the tagline "38,000 Customer info Leak." This incident, claimed by the group "AnonSec," took place on December 4th, 2015, and was made public through an online article posted on Pastebin.
The perpetrator behind this incident, identified as "ap3x h4x0r," was a member of the "AnonSec" group. The AnonSec group consisted of several individuals, as evidenced by the list of official members they provided in their announcement. Notable members included "Mrlele," "3r3b0s," "d3f4ult," "4prili666h05T," "Mr WWW," "AN0NT0XIC," "ThaNarcissist," "Mr.MaGnoM," and the attacker, "ap3x h4x0r."
The primary technique employed in this cyber incident was "Exfiltration from Application Server." This technique involves unauthorized access to the application server's data and subsequent exfiltration of sensitive information.
The attack was publicly announced through an online article posted on Pastebin with the URL "https://pastebin.com/ftXELSC5." The article contained details of the breach and the group's affiliation. It also mentioned the leak of customer information, indicating that 38,000 customer records were compromised.
The attackers exploited vulnerabilities in the saifa.ir website, particularly focusing on SQL and XSS vulnerabilities. These vulnerabilities allowed them to gain unauthorized access to the application server and exfiltrate sensitive data. The specific methods and technology used in the attack were outlined as follows:
- Method Used: The attackers utilized a GET request method with a MySQL UNION query (NULL) that allowed them to manipulate and retrieve data from the database.
- Web Server Operating System: The website was hosted on a Linux CentOS operating system.
- Web Application Technology: The web application was built on Apache 2.2.27 and used PHP 5.2.17 for scripting.
- Back-End DBMS: The website's back-end database management system (DBMS) was identified as MySQL, with a version greater than or equal to 5.0.0. The database was hosted at "saifa_db@localhost."
- Database Structure: The database contained several tables and data. Notable tables included "epay," "epay_plans," "func_data," "groups," "ip_bin," "iplog," "key_filter," "links," "messages," "news," "news_groups," "newsletter," and "newsletterUser." Each table had specific columns and data types, indicating diverse information was stored in the database.
- Databases Accessible: The attackers listed three databases that were accessible:
1. information_schema
2. saifa_db (with 23 tables)
3. pub
- Static Pages: The database contained a "static_pages" table with information on static content, including columns like "_keywords," "date," "view," "active," "address," "cost," "email," "expiration_prompt," and others.
- Traffic Archive: Another table, "traffic_archive," recorded data such as "hit," "publicity," "tdate," and "visit."
- User Data: The "users" table contained an extensive list of user-related information with 22 columns, including "position," "address," "birth_year," "business_field," "company_name," "contact_time," "fax_number," "JSFlag," "last_ip," "LastPaied," and "license."
The attackers provided a link where all the dumped files could be downloaded: "https://mega.nz/#F!fFQy0BLD!bvw4K9GGODfgMUhxsrkKhA." This likely contained the exfiltrated data and other relevant files from the breach.
On December 4th, 2015, the website saifa.ir fell victim to a cyberattack orchestrated by the "AnonSec" group, with "ap3x h4x0r" being the identified attacker. The attackers exploited SQL and XSS vulnerabilities to gain unauthorized access to the application server and exfiltrate sensitive information. The incident was publicly announced through an online article on Pastebin, where the attackers claimed to have leaked customer information from the website. A range of technical details regarding the server, web application, database, and the exfiltrated data were outlined in the announcement, providing insights into the extent of the breach.