“I attacked Joomla.”
Well, that’s one way to get our attention.
Joomla is one of the biggest names in plug-and-play website building software. Instead of relying on plugins the way WordPress does, Joomla’s claim to fame is its multi-featured nature, equipped out of the box with such popular additions as an automatic newsletter publisher. Because of its robust nature and its ease of use, it’s popular with small and medium businesses without a dedicated IT staff. In other words: the demographic least equipped to deal with hackers. It must have sent a chill through the userbase to know that a prominent Joomla developer had been hacked and defaced with scary visuals, mockery, and bombastic music by a relatively unknown hacker crew claiming allegiance to both Anonymous and the pro-ISIS Cyber Caliphate.
Or it would have, that is, if any of them had noticed.
Joomla the organization itself was not hacked, just one site, which had dozens of subdomains tinkered with. The hack of Bangalore-based Joomla developers Jextn, occurred on June 1, and was noted and mirrored on hack archive Zone H. The various subdomains of the website were defaced; essentially the contents were all still there, but they were plastered over with a scary, black poster calling out the security on the website. Don’t worry, that Jextn link is perfectly safe now.
On June 1, however, it was a much more alarming-looking page.
[!]Struck By Dr.AFN[D]ENA[!]
AnonCoders Team was here
Hello Joomla Development Companies
-_- Where your Team Security i think you Team Security in noon -_- [napping]
Exploit:upload :D Yes Security down
Albania Attacker/SvBoyw/Black Worm/S@NT3T3/Dr.T3rr0r/DarkShadow-TN/Dr.AFN[D]ENA/Virus Noir/M4XS4L1M1/Sys Ghost/Al-Far3aPirate/Dr.Pixl
And with that, AnonCoders entered our awareness. We’d seen some of their posts shared on Facebook; the group itself posts records of its “kills” to its 1100-like Facebook page, from whence many Anonymous pages and groups share them out, and many of the individual members have their own pages on the social platform. Not great for Opsec, but essential if you want to get noticed, and they want to get noticed.
Shortly after the hack, we received a tip about it but thanks to factors as varied as post-conference flu and skepticism resulting from the obvious continuing good health of Joomla.com, we paid little attention at first. June 10, we received a message purportedly from the hacker himself, Dr Afn[d]ena, claiming not only the Jextn hack but also the far more important (and mediagenic) hack of France’s public broadcaster, TV5Monde. On April 9, TV5Monde’s social media accounts were hacked, and its broadcasts on all 11 channels knocked off the air by hackers claiming to be the Cyber Caliphate. Now AnonCoders was taking credit for that hack as well as the relatively minor Jextn hack.
This, we decided, was worth following up.
Over the next several hours, wrestling with significant language barriers and recalcitrant WordPress, we conversed with a Facebook account claiming to be Dr Afn[d]ena’s “civilian name” account. To prove his identity, he posted a “hello Cryptosphere” post to the Dr Afn[d]ena Facebook page. If he’s not the good doctor himself, he’s at least either a trusted lieutenant or a hacker good enough to seize control of the page for reasons of his own.
As he explains it (and Facebook linkages and Zone-H archives bear out), AnonCoders is a relatively new crew, but made up of hackers with significant track records. “We have members from all countries,” he told us, stretching things somewhat as the crew has only nine named members. “AnonCoders was created in 2 January 2015.” Their first Facebook page had to be abandoned when they lost the administrator to unnamed pressures. The second is active now, as members post ongoing tangodowns and defaces; they certainly do not let the grass grow under their keyboards.
“In January we attacked a lot of important Israeli sites to spread our message: Free Palestine. And then after Charlie Hebdo offended our Prophet, in February, we attacked 500+ French sites. Now we are targeting government websites and important websites around the world.”
“We Are: Albania Attacker/Black Worm/Dr.T3rr0r/Dr.AFN[D]ENA/Sys Ghost/AnoaGhost/Slim El/M4XS4L1M1/Virus Noir.”
We got straight to the point, asking why bother with Jextn? The answer was, paraphrasing, “it was there.” And it was vulnerable. And it was, apparently, claimed to be perfect by its security people. Grey hat hackers cannot stand to see an unpatched vulnerability, and will often bring it to a company’s attention, either in hopes of getting a cash reward (“Bug Bounty”), or simply so these sometimes-OCD types can sleep at night.
That’s just what Dr Afn[d]ena said he had done in this instance; once he discovered the vulnerability, he contacted the Jextn tech support, where he got the stern denial and brush off routine. This is not wise, if the vulnerability is real and the person reporting it can prove that to you…as he claims he did.
“’I challenge you’,” he claims he said to them. “’Only have a [good] security system.’
And they used a bug in the local server.”
We contacted Jextn, but have not yet received a response. The website is back and sanitized now, with no traces of beret-sporting skulls, crew shout-outs, or bombastic music.
He claims that he got in through a pre-existing backdoor, and once inside had no difficulty posting the deface on an enormous number of sub-pages.
“The subdomain [allowed] upload.” Upload, that is, from someone other than authorized personnel. “I tried to communicate with technical support to them before the breach, but [they] ignore it. ‘Of your site: there is a bug. Hackers can change the main page of the site.’[ ]I sent them the way.”
Tech support, he says, was not on board with that at all. “He said that ‘This is not true.
You should not be played with something. Complaint is incorrect.’ I want [to] send the warning for Joomla : You should change your security team.”
“You have the set of noobs.”
Bam! Smackdown, laid.
“Low Security, No System Is Safe. We Attacked TV5 Monde Too.”
Okay, whut? The TV5Monde hack made headlines around the world: first when it occurred, and again when the hapless staffers went on television to explain the hack, with the new usernames and passwords clearly visible on a board behind them. OpSec, people!
Naturally, we asked what TV5Monde had done to make it a target. Just because it had weak security?
The Zone-H archive of hacks for Dr Afn[d]ena, which goes back more than a year, does not include the TV5Monde hack, although on the day of the hack he was credited with 24 mass defacements of other French websites. Clearly, he had an interest in the country on that specific day (and his language pattern definitely does not suggest a native French speaker).
Interestingly, just as Dr Afn[d]ena was talking to us, claiming the hack, French magazine L’Express (via Reuters) was reporting that two separate security companies had traced the hack to Russia instead, a major twist in what at first appeared a bog-standard ISIS-supporting case. FireEye, a US company, suggests the real motivation for the attack was payback for France’s bailing on delivering some military aircraft to Russia (because of Russian incursions into the Ukraine). FireEye and TrendMicro both agreed that the malware used was Russian in origin, and that a Cyber Caliphate site boasting about the hack was actually using an IP address associated with a known Russian hacker crew, possibly state-sponsored.
Neither company ruled out the possibility of Russian/Islamic cooperation, but given the history of Russian/Islamic statist relations over the past few decades, ie all out war, that would seem even less likely than a purely Russian operation.
Meanwhile, back on Facebook, Dr Dr Afn[d]ena explained the motivation for his crew’s hack of TV5Monde. If indeed it was theirs to claim.
Why hack a hapless public broadcaster? “For the defense of the oppressed, the defense of the Palestinian cause, and defending Islam.”
“I forgot to tell you something: The goal of the first team is to spread message that : Muslims Are not terrorists. We are changing all the main interface, we don’t delete any file. We spread the message and our goal [is] not vandalism.” In other words, they don’t raid databases for emails and passwords, they don’t mess with payroll systems, they don’t do damage other than the defaces they put up, which are easily removed.
“Governments Are The Real Terrorists. Not Us.”