Ministero della Salute italiano violato, password in chiaro? Primo punto della situazione

Ultimo aggiornamento: 2021/11/03 10:50.

Il 2 novembre scorso Andrea Draghetti di D3Lab ha segnalato un annuncio, pubblicato il giorno precedente su un noto forum di hacking, secondo il quale il sito del Ministero della Salute italiano sarebbe stato violato. 

⚠️🚨🚨⚠️

"Italy's Ministery of Healthcare hacked and Blackmails WhiteHat"

ℹ️ A user claims to have violated the Italian Ministry of Health (Ministero della Salute)!

😱 To prove it publishes an extract of the Apache LOGs, that also contain CLEAR passwords and a curious story... pic.twitter.com/ev4WjtRelz

— Andrea Draghetti 👨🏻‍💻 🎣 (@AndreaDraghetti) November 2, 2021

L’autore della violazione ha portato come prove un estratto dei log di Apache che fa riferimento a nsis.sanita.it e contiene login e password in chiaro (nella forma Ecom_User_ID=ID[omissis]&Ecom_Password=[omissis]).

Le prove sono accompagnate da un racconto molto bizzarro, che accusa i tecnici del Ministero di aver falsificato delle mail a nome di “giudici del Ministero della Giustizia” [sic] e di averle usate per minacciare chi aveva segnalato ai tecnici la vulnerabilità del sito, per farlo tacere. Ci sono di mezzo, secondo l’autore, anche degli accessi ai vaccini. Accusa gravissima che al momento, sottolineo, non è confermata.

Una persona addetta ai lavori mi ha invece confermato che la violazione del sito del Ministero della Salute è reale. Un’altra fonte, in attesa di conferme, mi ha segnalato che il 13 ottobre ci sarebbe stato un reset generale delle password del sito.

Le password contenute nel dump sono di questo genere (ometto per sicurezza alcuni caratteri e gli userid corrispondenti):

FAJKSKSF***
f2a***
a2g2ga***
ads**
Acquamarina**
Vaccini.20******
Appell***
Ekibio20***
Gabriel***
Gambuzzel****
Boletus*****

Come sempre, se qualcuno ha ulteriori informazioni, il mio Signal è aperto alle coordinate che trovate nella barra laterale di questo blog. 

Qui sotto riporto pari pari il racconto bizzarro pubblicato dall’autore della violazone, senza per questo voler dare particolare credito alla sua storia. Segnalazioni-vanteria di questo genere sono frequentissime e spesso false; se non avessi ricevuto una conferma della violazione da una fonte attendibile non avrei nemmeno segnalato questo annuncio. 

Long story of how this happened:

I'm online writing a script for some 0's i wanna test, here comes a contact asking me if i could get vaccines, asks for EU, he specifically asked for Italy.
I thought "No problem" italian devs are chimps, it will be ez if it all works by web.
I did not think it would be THAT ez, after less than 1h i found a hole and it took me 8 hours to have complete control over the DB's, Linux shell with 90% privilege (and i had 0 knowledge of the underlying infostructure or system lmao) .
I got some credentials, gave the vaccine to my friend and started getting to know better the system,
low and behold,
there was access to too much critical infostructure, I could've made people arrested by cancelling their vaccines, i could've get data about shipments, containers, anything ANYTHING healthcare related, i had access to 100%, mail servers, bla bla bla, 100% pwned.

Due to there being too much critical info-structure and not having any fitting operation to do with it, i decided to pay a jabber advert and find a buyer.

I get contacted by a guy,
he asks screenshots
tells me that hes starting a cyber sec company and he would like to buy it (the access) to report it,
i tell him to not do it because in Italy they are chimps and he is only wasting money,
he ignores me and keeps asking for the access
i sell him the accesses for 15k$ in monero
he contacts the technicians to report it, tells them his name and company
> technician tells they were not aware of the hack and it was not possible (they were hacked from 7 days~ already, they are most surely not able to do their job) they asked him to send proofs by email, he asks me proofs and he forwards them to the 'technicians'
> one day goes by, then they write to him an email asking more information and more about a possible "partnership"
> they stop answering
> my client sends them an email asking to notify everyone (millions) as per GDPR law of the breach,
> (the technicians department of the Ministery of Healthcare people) start forging emails with Ministery of Justice Judges names people and they blackmail him
1) The technicians did not lawfully oblige to disclose breaches as per GDPR european law.
2) They blackmailed a whitehat security researcher by email with fake names,
3) They blackmailed him on instagram (WTF)
4) They removed a page thinking it would fix the problem, instead of hiring someone professional. they are still vulnerable.
By not going trough the official and right way, they have achieved shitting on any law and leaving one of the most if not the most critical infostructure vulnerable.

tl;dr
Don't target Italian systems because they are poor retarded chimps, this poor guy wasted 15k in hope to, since millions of people and the most critical info-structure got hacked, he thought that by reporting it they would then publish a statement of breach to notify the millions involved and quote his company for notifying them.
He learned the hard way Italy is not a country but instead a mafia,
since I've never heard of a legit country like Germany or Denmark Ministery being notified of a breach and blackmailing the person that let them know it for this information to not become public.
btw i spoke with him (my customer) and he told me so today, he told me that "I attempted writing to the Media and got no response, I attempted disclosing it to the technicians and i got blackmailed, i got no use of this anymore i consider my money wasted, do as you please with it"
so, take this as a reminder from a BH to both WH and BH's onhere, don't work with Italy, let them be abused and die as a country, because surely they don't have a system that is worth defending (nor pwning).

List of the DUMP:
SAML Keys:
[omissis]

Authentication Cerfiticates:
[omissis]

[16:52] [server1.[omissis].me var] # cat accounts.log
[omissis]

Conclusion Thoughts.
The servers were vulnerable from 11+ Years already,
there was no monitoring of any kind, I did not delete any log or hidden my access in any way as my customer had asked as he would've preferred to report it and showcase there was no malicious intent, rather, just report it and get a deal written.
There was no security, it got hacked in 8 hours.
Governative servers are rented on the same subnets, due to dumped keys, I think it's very much possible You could query the other DB's, other just than the Healthcare one, aka Police etc, so was not done since when I thought of this i had already sold the access and he requested for no damage or further compromise to be done.
In Italy the Tax is 40% (1-time, or 80% if you count also buying it and reselling it), just imagine going to work 40% of your working day EVERY DAY to pay people salary for 12 Years for them to do NOTHING, do not setup any security, get hacked in 8h, instead of following laws and notifying everyone go out of their way to blackmail the white hat guy.
When even the people in the state start doing unlawful things, You might start to wonder if such state should exist.
From today I surely deem Italy no longer a state but rather a Mafia.

 

Questo articolo vi arriva gratuitamente e senza pubblicità grazie alle donazioni dei lettori. Se vi è piaciuto, potete incoraggiarmi a scrivere ancora facendo una donazione anche voi, tramite Paypal (paypal.me/disinformatico) o altri metodi.