GhostShell Returns, Exposes a Bunch of Companies with Open FTP Servers

Share this…

GhostShell, the Romanian hacker who recently revealed his true identity in a very candid exposé, has returned to the world of hacking with a new leak as part of his new campaign called Light Hacktivism.

His first leak after a few months of silence involves a list of 32 websites from where the hacker has taken readily available data containing sensitive information.

His targets include government agencies, educational institutes, and companies from the medical, industrial, retail, and other fields.

GhostShell pioneers another hacktivism concept – Light Hacktivism

The primary goal behind this leak is to bring to attention the weak security practices employed by many of today’s online businesses.

This new concept is called Light Hacktivism, as mentioned before, and it is in stark contrast to Dark Hacktivism, another concept introduced by the experienced hacker.

A former member of Anonymous and MalSec, and leader of Team GhostShell, Razvan Eugen Gheorghe, the hacker’s real name, has been around for years on the hacking scene and has reached the status of a mini Yoda, his actions representing more than just blind and random hacking.

Careless FTP configurations lead to disaster

GhostShell has told Softpedia that there are more leaks planned as part of Light Hacktivism campaign. The hacker has explained to us that the first batch of targets was hacked due to negligent admins.

Companies left open FTP ports and directories, where GhostShell found sensitive data and sometimes admin credentials for the whole server.

In some cases, GhostShell claims that he used these vulnerable FTP setups to escalate his access to the entire server, from where he exfiltrated more or less sensitive information.

Some of the data has been edited, censored

“Since I wanted to [be] clear and taken serious about this I have leaked some credit cards information, however it is recently expired,” GhostShell says. “I am willing to prove more in private to any researcher out there that even CC/CCv is stored in plaintext on open ports.”

“Medical data is also present but it has been censored, the sensitive stuff. Still, accounts – usernames, password are present. Personal identities, names, addresses, phone numbers etc. are also there,” he also adds.

“Never underestimate the most simple vulnerabilities out there as they often end up being anyone’s downfall. Light Hacktivism is about finding and exposing those vulnerabilities to the public so that they can be patched,” GhostShell explains.

On the other hand, Dark Hacktivism, a hacking concept pioneered by GhostShell last summer, was intended to demonstrate the target’s inadequate security, without harming them, but using “cyber war” tactics, employed by actual hackers.

Light Hacktivism is the exact opposite, aimed at showing a network’s weakness by exploiting non-aggressive techniques and already-existing vulnerabilities and misconfigurations that are easy to exploit, such as open FTP ports for this case, or passwordless MongoDB databases, as a Dutch security researcher showed last week.

Links to paste sites holding the dumped data

Links to paste sites holding the dumped data

As for the leaked data, we found all sorts of personal details. GhostShell released details from 32 sources, dumping each site’s data on three paste sites simultaneously.

At the time of writing, some of the paste URLs have already started going down, most likely after being reported, even if they were up yesterday.

Searching through the data, we discovered credit card numbers, AOL accounts with cleartext passwords, all sorts of login information (usernames and hashed passwords), and datasets with names, home addresses, email addresses, and all sorts of personal details.

Below is a list of targets from where GhostShell has taken data and dumped it online, via Twitter.