/ webroot

@d4rkarmy Zine, Extortion, Leaks, 0days claims

Early today, a twitter account @d4rkarmy announced a ZINE which contains some interesting points but is still yet to be fully validated agasint its claims.

For readers who do not know, a ZINE is a index of self published work taken from the old-school hacker days when BBS was common and twitter was not even thought of, thou a Zine goes back to the 18th century when technology didn't exist and citizens use to put many things into a common list/leaflet/article.

The ZINE was posted to pastebin and contained a few downloads from filedroper and a screen capture on imgur. It also contains some claims of extortion, 0days and breaches to government systems, university's and popular website services like sound cloud, webroot, splashid and kiatravels. Having a looking into the contents, wording, layout of the ZINE appears that it was not very well structured, the English grammar usage is very off as well which could point to two things. The leaker is not a natural spoken or is very young.

Break down of the zine is as below.

Zine Targets

  • kiatravels.com
  • mit.edu
  • fda.gov
  • splashid.com
  • webroot
  • blog.soundcloud.com

kiatravels.com

Kiatravels.com, a travel booking website based in South Jakarta, d4karmy claims that this breach has affected all its 1.5m Million clients that "contain private information that is not secure"

So while we were working on finding vulnerabilities in popular domains,
we came across a very large traveling agency called kiatravels.com.
They have had over 1.5 million clients, and contain private information that is not secure.
At first, we found an open RDP server, where admins login to view their domain.
We ran a dir scan on the RDP server, and found the dir name “keya”.
This was a root dir on the RDP server, which contained the files below

Data provided as a POC appears to a list of the obtained sql files. they have also stated that this is "Just the POC of the dump :) We do not enable stupid carders.".

The file download contains a zipped. 3.3MB zql file with raw dumped tables.

mit.edu

The hackers have stated their attack was very simple and not as near sophisticated as the attacked which resulted in email server being access and data being leaked as part of the HTP (hack the planet) Zine. They claim that they had access via a uploaded shell but this was removed serveal times and as a result they have archived the breached database and put it up for sale, followed by a jabber address and a comment stating BTC only, no price has been giving.

Now, for the 3rd time, the mit.edu domain, has officially been owned.
This attack was NOT as sophisticated as the HTP breach where they had access to their mail servers.
This was a simple Local File Inclusion vulnerability we found, which disclosed usernames,
which we were able to brute force, (we had admin of all subdomains, and root on their servers.)
The shell was later removed, and so we shelled them a second time, and they deleted it,
then we shelled them again, and it was erased, so we just archived their entire database,
and put it up for sale.

The data provided for this section is the /etc/passwd

FDA.gov

This breach seems to be a lot of public based incidents that list heaps of mailing list entry's from a google mailing group.

After hacking into numerous banks, companies, and universities.
We decided to have fun with the government.
In total, we found a couple hundred vulnerabilities in .gov domains,
but that will be linked below. Now, for the main show, the fda.gov.
One of our members started looking for vulns in their domain,
and we found a closed dir, but the files were open, so we started dorking
files found in .govs and found 02P-0317_emc-000019.txt .
We later were able to access all emails that went through fda.gov mail server.

The data provided for this section is a bunch of exploits aimed at government websites. It also has a note that twitter user @hackinyolife is behind the zine. "creator of zine : @hackinyolife "

Splashid.com

Splashid.com is a password manger service and d4kyarmy claims that one of their members have discovered a LFI(local file inclusion) after going vulnerability hunting on their site. This breach makes claim to of obtained root on their domains and accessed all clients information. They are also making claim that all this information is for sale to and provide the same jabber address again.

One of our members went vulnerability hunting on a password managing site called
https://www.splashid.com/ , he/she found an Local File Inclusion on the domain and
got a shell popped on the domain. He later had root on their domains, and had all their client information. .

Data provided is a screen capture which shows a shell's file manager, a copy of the /etc/passwd/
splash id screen cap

Extortion claims

At the end of the ZINE contains a section sub-titled "THE WONDERFUL STORY OF HOW WE CLOWNED THE FBI" which goes on to state the following story.

After our member breached the FDA, our best friends, the Federal Bureau of Investigation.
The reason they were after us, were because we hacked fda.gov mail server, and we extorted a women 10k
threatened to have her kidnapped XD. But, after FBI New York, and the investigators the women knew “teamed up”
they were onto us like never before. The information they pulled were the groups name and a @gmail.com email we used to call her.
We later tricked them into thinking we knew hitman and that they were coming for her. So, they had FBI posted up at her house.
Then we tricked them into thinking we would drop fda.gov FULL database, so they had the domain offline for a couple hours,
and locked up their servers. Then, they attempted to go on IRC chat rooms to look for us.

webroot.com

In this part of the zine, we disclose a list of
vulnerabilities and 0days we found over the time of these breaches.
The first vulnerability was an local file inclusion found in www.webroot.com.
Discloses apache logs, etc/shadow, etc/master.passwd, etc/passwd.

blog.soundcloud.com

**The next vulnerability was in blog.soundcloud.com, yes, I know
what you are thinking “but the hacker from zone-h got a deface on it!)
well this isn’t that vulnerability. We wrote a code that allows us to view
private files stored on the domain, so we found etc/primary which the output was
“foreign-key”.

Hackforums HEX

They also claim to of obtained a warrant for information about a hack forums member HEX who was recently asking about them.

One last comment from d4rkarmy at the very bottom makes claim that there is more on the way.

After this summer, we have clowned many companies, and had our laughs.
We will still be here tho! Thank you for reading our zine, and the next one will be out shortly!
You have no idea what we have in stored for next time!

So when is next time? who knows yet, but it will certainly be interesting to see if there is a next time and what it contains.

Lee Johnstone

Lee Johnstone

Information Security Data Analyst, Investigative Journalist, Technology Lover, Mechanic.

Read More
@d4rkarmy Zine, Extortion, Leaks, 0days claims
Share this

Subscribe to Cyber War News