GhostShell is back and exposed data from 32 companies hacked through Open FTP

Pierluigi Paganini May 17, 2016

GhostShell is back, it exposed data from 32 companies and  launched a new campaign to punish negligent network administrators.

The popular hacker crew GhostShell is back and is launching a new campaign to sensitize administrators to the importance of a proper security posture, but he’s doing it in his own way.

GhostShell Tweet

GhostShell is a group of hacktivists most active in 2012 that targeted systems worldwide, the list of victims is long and includes the FBI, NASA, the Pentagon, and the Russian government.

Three years ago the group launched its last attack, we had no news about the popular hackers since 2015 when the Team GhostShell conducted a number of cyber attacks against various targets, including the Smithsonian photo contest website, The Church of Jesus Christ of Latter-day Saints, Socialblade, and the Exploratorium in San Francisco.

In March 2016, G.Razvan Eugen (24) claimed to be the founder of the popular collective Team GhostShell.

Now the dreaded collective is back and leaked data \, their system administrators left FTP directories open. In some cases, the GhostShell hackers exploited poor FTP configuration as the entry point in the target networks and then to move laterally compromising other systems.

GhostShell leaked dumped data online from the following 32 organizations:

ghostshell targets


The leaked data contains several types of information, including credit card details, user name and email combinations some with and without encryption. Experts at Risk Security Based firm who analyzed the leaked data have found 1,181 unique email addresses from 521 different providers.

“The Light Hacktivism leak is a similar style and format as to what we have seen in the past from Razvan.  It is comprised of data collected from 30 unique sites and contains varying types of data including credit card details, user name and email combinations some with and without encryption. All together, we have detected 1,181 unique email addresses from 521 different providers. A large portion of the affected sites appear to be data from educational institutions which have been open on the Internet for some time.” wrote RSB.

The hackers leaked the data online end left the following message on Pastebin, at the time I was writing the post has been removed by the administrator of the service.

“This is me raising awareness to the on-going open FTP directories that still plague the net even after all these decades. Despite warnings in the past about the dangers posed by leaving your ports open and unprotected, netizens small and large are still paying no attention to it effectively leaving their networks unprotected to even the newbies of this industry.

I’ve comprised a list of targets that range across the field, from government, educational, medical, industrial, retail, personal and many others. Since I wanted to clear and taken serious about this I have leaked some credit cards information, however it is recently expired, however I am willing to prove more in private to any researcher out there that even CC/CCv is stored in plaintext on open ports. Medical data is also present but it has been censored, the sensitive stuff. Still, accounts – usernames, password are present. Personal identities, names, addresses, phone numbers etc. are also there.

Never underestimate the most simple vulnerabilities out there as they often time end up being anyone’s downfall. Light Hacktivism is about finding and exposing those vulnerabilities to the public so that they can be patched.

Millions of people at risk everyday due to sheer laziness and incompetence.”

It seems that the group has the intention to hit more targets in the short period and their negligent admins.

Stay Tuned …

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – GhostShell, hacking)

you might also like

leave a comment