Hackers gain access to all .edu domains
The hacker collective "Hack the Planet" (HTP) has claimed responsibility for an attack on MIT (Massachusetts Institute of Technology) computer systems in late January, in which it claims to have briefly taken control of the university's domain, redirected email traffic, and obtained administrator access to all .edu domains. HTP also claims to have compromised web servers for other sites, including security tool Nmap, network security service Sucuri, IT security company Trend Micro, and network analysis tool Wireshark.
Some of the hacks made use of a zero-day exploit, which the group has now taken the opportunity to disclose, against a vulnerability in the MoinMoin wiki system. Hack the Planet has also released information about an exploit against web servers running ColdFusion 9 or 10. The group claims to have used a variant of this exploit for their April attack on hosting company Linode.
HTP are a pretty hardcore bunch, though they are keen to stress their adherence to hacking's code of honour on their trawls through the web. In contrast to the carefree approach practised by more chaos-loving hackers of the LulzSec ilk, which involves simply pasting everything they uncover online, they appear to be more concerned with bragging rights. They document their deeds in old-school zines, consisting of scorn-laden ASCII documents with detailed descriptions of their adventures.
According to the latest zine, HTP has obtained access to a number of servers, including servers hosting the Nagios, Mono, Pastie, and SQLite projects. The hackers even claim to have compromised ICANN and the SourceForge backbone. They have published around 7500 .edu domain records together with unsalted MD5 password hashes. Nearly half (around 3400) of the records also include the password as plain text. In view of the speed with which it is possible to try out MD5 hashes, it is likely to be only a matter of time before the remainder are cracked. The registrar has declined to comment on whether or not it has a firm grip on the threat this poses.
In the course of these activities, the anonymous group of hackers became aware that one or more of its members was passing information to the FBI. The group claims to have accessed the informant's webcam and observed an FBI handler standing behind the hacker giving instructions. How seriously HTP's claims should be taken will become clear over the next few days. In view of the well-documented hacks at Linode, MIT and of the Nmap maintainer's server, it must be feared that most of the remaining details will also prove to be true.
In view of the published exploits for ColdFusion (ColdSub zero v2) and MoinMoin (Moinmelt.py), administrators of potentially vulnerable systems should keep a careful eye out for unusual activity over the next few days. Adobe has already plugged the ColdFusion vulnerability used against Linode with a hotfix that users should install as a matter of urgency. The MoinMoin exploit appears to be directed against the vulnerability fixed in version 1.9.6 (CVE-2012-6081). Thomas Waldmann, who is responsible for security patches at MoinMoin, has told The H's associates at heise Security that MoinMoin versions 1.9.6 and later and all third party packages (e.g. from Linux distributors) patched with reference to CVE-2012-6081 are not vulnerable to the exploit.