After business.esa.int, now Ghost Squad Hackers deface spacee4rail.esa.int using SSRF vulnerability for the Lulz
The Ghost Squad Hackers (GSH), an offshoot of the hacktivist group Anonymous, has been fairly active since the custodial killing of George Floyd in Minneapolis. Having been quiet for a couple of years, the Ghost Squad Hackers are back hacking for the lulz.
Last week name Ghost Squad Hackers announced the defacement of a site of the European Space Agency (ESA), https://business.esa.int/. The website is since down citing maintenance. Now the Ghost Squad Hackers have targeted another website belonging to the European Space Agency https://space4rail.esa.int/sites/ The defaced page claims that the Ghost Squad hackers hacked it for the lulz. Lulz is Anonymous geekspeak for lol or just for fun.
The Ghost Squad Hackers tweeted about the hack but the page has since been taken down with a site under maintenance board.
— ~#GhostSquadHackers (@GhostSquadHack) July 19, 2020
This is the second defacement in a few days suffered by the ESA at the hands of Ghost Squad Hackers. The hackers told Pierluigi Paganini of Security Affairs that they hacked into both the websites using Server-side request forgery (SSRF) remote code execution vulnerability in ESA webservers. This time they have exploited the issue to gain access to the https://space4rail.esa.int domain and deface it.
“We again found the same private vulnerability in their servers leading to RCE (SSRF to RCE). After gaining access to their servers we decided to deface yet another domain for laughs. Their attempt to patch the vulnerability was a fail even after removing their CMS and adding a maintenance index we were still able to get access. We didn’t contact them this time either, instead decided to deface another domain. These space agencies are not safe and we will continue to prove that!
Ghost Squad Hackers.
The Server Side Request Forgery (SSRF) vulnerabilities let a potential hacker send crafted requests from the back-end server of a vulnerable web application. Hackers usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback interface (127.0.0.1) of the exploited server.
SSRF vulnerabilities occur when an attacker has full or partial control of the request sent by the web application. A common example is when an attacker can control the third-party service URL to which the web application makes a request.
Ghost Squad Hackers is an offshoot of the Anonymous hacking group and has many big-ticket web defacements/hacks to its credit. The recent GSH attacks took place in Australia, India, Pakistan, Thailand, and Zimbabwe. GSH gained notoriety in 2016 when it defaced Ethiopian government websites following a protest in which government security forces killed nearly 500 students and activists. The group also gained attention during the 2016 Presidential campaign when it launched distributed denial-of-service (DOS) attacks on then-candidate Donald Trump’s website and shut down his hotel collection websites. GSH also famously leaked data considered sensitive by the Israeli Defense Forces, an attack it reportedly conducted along with Anonymous called #OpIsrael.
The group says it is not political and did the hacking/defacement for the lulz. It added that it would not leak any exposed data from hacked websites.