Ghost Squad Hackers defaced a second European Space Agency (ESA) site in a week

A group of hacktivists that goes online with the name Ghost Squad Hackers has defaced for the second time in a week a site of the European Space Agency (ESA).

Last week a group of hackers that goes online with the name Ghost Squad Hackers announced the defacement of a site of the European Space Agency (ESA), https://business.esa.int/.

Now the group contacted me again to report a second hack of a website of the European Space Agency. This time the hackers compromised the website of https://space4rail.esa.int/index.html, it is the second defacement in a few days suffered by the ESA.

Ghost Squad Hackers told me that they have found for the second time in a few days a Server-side request forgery (SSRF) remote code execution vulnerability in the server of the agency. This time they have exploited the issue to gain access to the https://space4rail.esa.int domain and deface it.

A Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure, or to external third-party systems.

A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform arbitrary command execution.

“We again found the same private vulnerability in their servers leading to RCE (SSRF to RCE). After gaining access to their servers we decided to deface yet another domain for laughs. Their attempt to patch the vulnerability was a fail even after removing their CMS and adding a maintenance index we were still able to get access. We didn’t contact them this time either, instead decided to deface another domain.” the hackers told me.

“These space agencies are not safe and we will continue to prove that!”

According to the hackers, the ESA experts have yet to fix the problem, they only removed the installation of the CMS.

The hackers told me that the issue was not within the CMS/web application, but it affects service in execution on the server.

“It seems they took the vulnerable service down also, this is their attempt to prevent future cyber attacks.” the hackers said.

The group claims to have hacked numerous organizations and government agencies over the years, including US military, European Union, Washington DC, Israeli Defense Forces, the Indian Government, and some central banks.

The team appears to be focused primarily on operations against governmental agencies.

The hacktivist remarked that they did not act for political reasons, they also highlighted that they had no interest in leaking any data.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ESA)

[adrotate banner=”5″]

[adrotate banner=”13″]