Ultimo aggiornamento: 2021/11/03 10:50.
Il 2 novembre scorso Andrea Draghetti di D3Lab ha
segnalato un annuncio, pubblicato il giorno precedente su un noto forum di hacking, secondo il
quale il sito del Ministero della Salute italiano sarebbe stato violato.
⚠️🚨🚨⚠️
“Italy’s Ministery of Healthcare hacked and Blackmails
WhiteHat”ℹ️ A user claims to have violated the Italian Ministry
of Health (Ministero della Salute)!😱 To prove it publishes an
extract of the Apache LOGs, that also contain CLEAR passwords and a curious
story… pic.twitter.com/ev4WjtRelz— Andrea Draghetti 👨🏻💻 🎣 (@AndreaDraghetti)
November 2, 2021
L’autore della violazione ha portato come prove un estratto dei log di Apache
che fa riferimento a nsis.sanita.it e contiene login e password in chiaro (nella forma Ecom_User_ID=ID[omissis]&Ecom_Password=[omissis]).
Le prove sono accompagnate da un racconto molto
bizzarro, che accusa i tecnici del Ministero di aver falsificato delle mail a
nome di “giudici del Ministero della Giustizia” [sic] e di averle usate per minacciare
chi aveva segnalato ai tecnici la vulnerabilità del sito, per farlo tacere. Ci
sono di mezzo, secondo l’autore, anche degli accessi ai vaccini. Accusa
gravissima che al momento, sottolineo, non è confermata.
Una persona addetta ai lavori mi ha invece confermato che la violazione del sito del Ministero della Salute è reale. Un’altra fonte, in attesa di conferme, mi ha segnalato che il 13 ottobre ci sarebbe stato un reset generale delle password del sito.
Le password contenute nel dump sono di questo genere (ometto per sicurezza alcuni caratteri e gli userid corrispondenti):
FAJKSKSF*** f2a*** a2g2ga*** ads** Acquamarina** Vaccini.20****** Appell*** Ekibio20*** Gabriel*** Gambuzzel**** Boletus*****
Come sempre, se qualcuno ha ulteriori informazioni, il mio Signal è aperto alle
coordinate che trovate nella barra laterale di questo blog.
Qui sotto riporto pari pari il racconto bizzarro pubblicato dall’autore della violazone,
senza per questo voler dare particolare credito alla sua storia.
Segnalazioni-vanteria di questo genere sono frequentissime e spesso false; se
non avessi ricevuto una conferma della violazione da una fonte attendibile non avrei nemmeno segnalato questo annuncio.
Long story of how this happened:
I’m online writing a script for some 0’s i wanna test, here comes a contact
asking me if i could get vaccines, asks for EU, he specifically asked for
Italy.
I thought “No problem” italian devs are chimps, it will be ez if it all works
by web.
I did not think it would be THAT ez, after less than 1h i found a hole and it
took me 8 hours to have complete control over the DB’s, Linux shell with 90%
privilege (and i had 0 knowledge of the underlying infostructure or system
lmao) .
I got some credentials, gave the vaccine to my friend and started getting to
know better the system,
low and behold,
there was access to too much critical infostructure, I could’ve made people
arrested by cancelling their vaccines, i could’ve get data about shipments,
containers, anything ANYTHING healthcare related, i had access to 100%, mail
servers, bla bla bla, 100% pwned.Due to there being too much critical info-structure and not having any fitting
operation to do with it, i decided to pay a jabber advert and find a buyer.I get contacted by a guy,
he asks screenshots
tells me that hes starting a cyber sec company and he would like to buy it
(the access) to report it,
i tell him to not do it because in Italy they are chimps and he is only
wasting money,
he ignores me and keeps asking for the access
i sell him the accesses for 15k$ in monero
he contacts the technicians to report it, tells them his name and company
> technician tells they were not aware of the hack and it was not possible
(they were hacked from 7 days~ already, they are most surely not able to do
their job) they asked him to send proofs by email, he asks me proofs and he
forwards them to the ‘technicians’
> one day goes by, then they write to him an email asking more information
and more about a possible “partnership”
> they stop answering
> my client sends them an email asking to notify everyone (millions) as per
GDPR law of the breach,
> (the technicians department of the Ministery of Healthcare people) start
forging emails with Ministery of Justice Judges names people and they
blackmail him
1) The technicians did not lawfully oblige to disclose breaches as per GDPR
european law.
2) They blackmailed a whitehat security researcher by email with fake
names,
3) They blackmailed him on instagram (WTF)
4) They removed a page thinking it would fix the problem, instead of hiring
someone professional. they are still vulnerable.
By not going trough the official and right way, they have achieved shitting on
any law and leaving one of the most if not the most critical infostructure
vulnerable.tl;dr
Don’t target Italian systems because they are poor retarded chimps, this poor
guy wasted 15k in hope to, since millions of people and the most critical
info-structure got hacked, he thought that by reporting it they would then
publish a statement of breach to notify the millions involved and quote his
company for notifying them.
He learned the hard way Italy is not a country but instead a mafia,
since I’ve never heard of a legit country like Germany or Denmark Ministery
being notified of a breach and blackmailing the person that let them know it
for this information to not become public.btw i spoke with him (my customer) and he told me so today, he told me that “I
attempted writing to the Media and got no response, I attempted disclosing it
to the technicians and i got blackmailed, i got no use of this anymore i
consider my money wasted, do as you please with it”
so, take this as a reminder from a BH to both WH and BH’s onhere, don’t work
with Italy, let them be abused and die as a country, because surely they don’t
have a system that is worth defending (nor pwning).List of the DUMP:
SAML Keys:
[omissis]Authentication Cerfiticates:
[omissis][16:52] [server1.[omissis].me var] # cat accounts.log
[omissis]Conclusion Thoughts.
The servers were vulnerable from 11+ Years already,
there was no monitoring of any kind, I did not delete any log or hidden my
access in any way as my customer had asked as he would’ve preferred to report
it and showcase there was no malicious intent, rather, just report it and get
a deal written.
There was no security, it got hacked in 8 hours.
Governative servers are rented on the same subnets, due to dumped keys, I
think it’s very much possible You could query the other DB’s, other just than
the Healthcare one, aka Police etc, so was not done since when I thought of
this i had already sold the access and he requested for no damage or further
compromise to be done.In Italy the Tax is 40% (1-time, or 80% if you count also buying it and
reselling it), just imagine going to work 40% of your working day EVERY DAY to
pay people salary for 12 Years for them to do NOTHING, do not setup any
security, get hacked in 8h, instead of following laws and notifying everyone
go out of their way to blackmail the white hat guy.
When even the people in the state start doing unlawful things, You might start
to wonder if such state should exist.
From today I surely deem Italy no longer a state but rather a Mafia.
Questo articolo vi arriva gratuitamente e senza pubblicità grazie alle
donazioni dei lettori. Se vi è piaciuto, potete incoraggiarmi a scrivere
ancora facendo una donazione anche voi, tramite Paypal (paypal.me/disinformatico) o
altri metodi.