(Note: Earlier this week, I presented evidence of a Finnish individual by the name Julius Kivimaki being the perpetrator behind the EC-Council hack over the weekend. You should read that post first, if you haven’t already.)
tl;dr: Last weekend, a person using the nickname ‘Eugene Belford’ took over the DNS for the EC-Council, an organization that certifies “Ethical Hackers”, and pointed it to his server, where he displayed a picture of Edward Snowden’s US passport.
Last night, our team obtained access to the server used in the EC-Council hack. Somebody asked for, and received from Julius, a shell on his server for the purposes of sending spam and phishing emails. This person turned the shell over to us, we then elevated to root access, and had a look around. Here’s a small list of what we uncovered:
- httpd logs of 5 different sites Mr. Kivimaki redirected to his server
- Entire database dumps from the Linode breach mentioned in the last post
- A 16MB file containing nothing but credit cards from the Target breach
- Employee ID badges from Metro Bank
- XMPP logs from Julius discussing stolen cards with another individual
- Over 300MB of compromised email, PayPal, and bank accounts
- A 400MB database dump from a large French real estate company
- And possibly the most damning crime of all, lots and lots of copyright infringement
(Still think he’s just a misguided young lad, trying to do the right thing by exposing EC-Council’s poor security?)
I would very much like to make available to you an entire dump of his server, but unfortunately, due to the illicit nature of pretty much all of the material present, I had to manually pick and choose things to share with the public. Everything else has already been turned over to federal law enforcement.
When I mentioned on Twitter the presence of httpd logs on this server, somebody found a few other sites Mr. Kivimaki has redirected to this box:
— Conrad Longmore (@ConradLongmore) February 27, 2014
This, in my opinion, is the single best way for me to prove that this server was involved in the breach, besides the IP address for it being in EC-Council’s DNS. If you visited eccouncil.org at any time between 22 February at 23:25:17 and 23 February at 06:25:01 (The logs rotated, unfortunately), your IP address and user agent will be in that file. That said, here are a list of websites “hosted” at Mr. Kivimaki’s server, that we have logs for. The access logs are gzipped, due to their size.
cardrockcafe.cc – Access / Error
ccbases.com – Access / Error
eccouncil.org – Access / Error (Also the server general log)
rescator.so – Access / Error
ssndob.cc – Access / Error
All 10 files – .tar.gz / .zip
Also found was a chat log between him and another individual at the Jabber/XMPP address [email protected], who has close ties with Mr. Kivimaki. You can view it here, however, I had to redact some database dumps and personal information. In the chat log, Kivimaki and f0x share lists of PayPal account email addresses and their corresponding passwords, and a bash script for bulk retrieving PayPal account history for these accounts.
And some smaller things we found:
A chat log between Kivimaki and ‘hann’, wherein hann begs Kivimaki for resources
Fuhosin, a PHP shell that Kivimaki uses to bypass web server security, written by HTP
The story of somebody who was SWATed by Kivimaki, presumably kept by him as a trophy
A Python “shell” used by Kivimaki to gain access to a server, in order to compromise it further
A script made by Kivimaki to use parts of Fuhosin in an effort to DDoS “League of Legends”
I personally find it interesting that all of the tools that Mr. Kivimaki uses were written by the very group he was kicked out of. It’s almost like he still thinks he’s an HTP member. I suppose another way to put it, would be to point out that Julius writes none of his own tricks. He is, thus, the very definition of a script kiddie. Picking up a telephone isn’t hacking, and social engineering doesn’t take very much skill at all.
Finally, once Kivimaki learned that we were inside his machine, we made a few creative changes to it that outright prevents it from starting up. Mr. Kivimaki’s choices to recover his server are either reformatting it, losing all of his work, or paying Ecatel hundreds if not thousands of dollars in ‘remote hands’ fees to diagnose and solve the problem. As of the writing of this post, his server is still in an unusable state, and the FBI has a copy of almost everything on the disk. RIP.
Addendum: SWATing calls
(1 March 2014 23:10) A few weeks ago, our team was able to record Julius Kivimaki and a friend (‘chF’, or Devin Bharath of Ontario, Canada) placing prank phone calls to 9-1-1 dispatch centers in an attempt to “SWAT” various targets, including the family of FBI Special Agent Ryan Brogan. It gets a little tricky, because Skype won’t allow 9-1-1 calls out. We’ve had to redact most of it to protect team member identities, but rest assured that the entire hour of recording is in the hands of law enforcement.
First, a call from chF, to a non-emergency dispatcher, claiming to be Ryan King
Second, a call from Kivimaki, to a dispatcher, pretending to be a suicidal individual
Lastly, we located another swatting call on Kivimaki’s old server (He had to reimage it. RIP.), but we aren’t quite sute it’s him. It just doesn’t have the right hint of retardation.
Bonus: Voicemail Frenzy!
To be perfectly honest, when an hour long recording hit the inbox, I thought for sure I’d be able to squeeze more than two calls out of it. Alas, the folks recording the SWAT calls were also trying to do multiple things at once, and ultimately weren’t able to record very many entire phone calls. To make it up to you guys, I was able to fish these recordings out of my voicemail. All three of them are from Julius Kivimaki. I guarantee you’ll love at least the last one. Especially if you still think he’s just a poor, innocent 16 year old.
The first message is a prank voice mail in which he offers to deliver pizzas to me.
Second, Julius vents romantic feelings for me, and serenades me with Rick Astley!
Finally, we have a message that is not safe for work. I guess he was mad about something.
Can you count all the F bombs?