Pierluigi Paganini June 03, 2016

GhostShell is back and leaked 36 million records from vulnerable networks to invite experts to pay attention to the new MEAN Stack.

GhostShell is back and once again to warn us about the poor security posture of many services, this time, he announced to have leaked 36 million accounts/records.

The hacker is inviting experts to pay attention to the MEAN Stack, MEAN is a collection of JavaScript-based technologies (MongoDB, Express.js, AngularJS, and Node.js) used to develop web applications.

I reached the popular hacker who gave me the following comment:

“Everyone needs to pay attention to the new MEAN Stack. The more popular it’s becoming the more likely it is for it to have vulnerabilities. We all need to work together to find and fix them but also to practice better security hygiene.”

MEAN Stack replaced the LAMP Stack that was considered less secure, but GhostShell is remind us that also MEAN is affected by serious security issues that expose users to serious risks.

“MySQL typically replaced by NoSQL and the main database configuration managed by MongoDB. This project will focus solely on this poorly configured MongoDB. I’d like to mention exactly how easy it is to infiltrate within these types of networks but also how chilled sysadmins tend to be with their security measures.” wrote GhostShell on Pastebin.

GhostShell highlights the lack of security of many installations that doesn’t implement a proper authentication process. The vast majority of services scanned by GhostShell was simply protected by a single factor authentication (username/password) and below there is the list of typical open ports discovered by the expert:
22, 53, 80, 81, 110, 137, 143 443, 465, 993, 995, 3000, 8080, 27017, 3306, 6379, 8888, 28017, 64738, 25565

What does it mean?

It could very easy for attackers to compromise a network poorly databases, this is exactly what GhostShell has done and he is leaking more than 36 million accounts/records of internal data from these types of networks to raise awareness.

“This can basically lead to anyone infiltrating the network and managing their internal data without any interference. You don’t even have to elevate your privileges, you just connect and have total access. You can create new databases, delete existing ones, alter data, and so much more.” added GhostShell.

“I am leaking more than 36 million accounts/records of internal data from these types of networks to raise awareness about what happens when you decide not to even add a username/password as root or check for open ports, let alone encrypt the data. Each server folder has within it a plaintext file with the general info of the target, a screenshot from within my MongoDB client with me having access and of course the leaked data in raw text. There are a few million accounts with passwords and the rest is private person data or other types.”

The message published on PasteBin also includes the download links and the screenshots of the databases containing the exposed data.

Negligent administrators, be careful, GhostShell is behind you … and he isn’t the unique one.

Stay Tuned …

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – GhostShell, hacking)