Pentester or Threat Actor? Open Directory Exposes Test Results and Possible Targeting of Government Organizations
Published on
Published on
Published on
Aug 7, 2024
Aug 7, 2024
Aug 7, 2024
Introduction
During routine research of newly identified open directories, the Hunt Research Team made a startling discovery: a server hosting standard pentesting tools and the results of a pentest report for a verified company.
Further investigation revealed a far more troubling find – a cache of credentials and email address lists likely for phishing belonging to government organizations in Egypt, Moldova, Nepal, Nigeria, Canada, and Ukraine.
The above data, which are entirely unrelated to the pentest report, suggests malicious intent by the individual(s) administering the server. In this post, we will expand on our discovery and what it reveals about threat actors' continued targeting of foreign policy officials.
The 15,000-File Surprise
Hosted on the well-known and threat actor-friendly M247 ASN, 91.132.95[.]28, has a Python3.8.10 SimpleHTTP server running on port 1899.
In addition to the open directory, the IP address resolves to a handful of suspicious domains spoofing Nepal’s Ministry of Foreign Affairs and what appears to be a Ukrainian agricultural company (PAEK).
A list of domains is provided below in Figure 1.
Figure 2 shows that the exposed server contains exactly 15,923 files. Due to the volume of files and subfolders, a detailed, file-by-file review is impractical. Instead, we focused on quickly identifying anything immediately suspicious that warranted a further look.
You’ll likely notice the large number of open-source tools our automation identified in the above screenshot. A non-exhaustive list of some of the tools included in the directory is below:
- Evilginx2 & 3
- Sliver
- Chisel
- Impacket
- Havoc C2
- Bloodhound
- Neo-reGeorg
- SecLists
- Gobfuscate
- Ligolo-Ng Proxy
- Mimikatz & Pypykatz
- LaZagne
- many more.
No one would blame you for seeing the above and concluding that it’s time to move on to the next directory.
Scrolling further down the results page, we stumbled upon three folders that caught our attention: /SOCAR.COM/, /SOCAR_AZ_EXTERNAL_PENTEST/, & /SOCAR_RESULTS_EXCH.
socar[.]com is a European meat and poultry exporter. This first folder contains the usernames and email addresses of those at a Turkish subsidiary of Socar and the results of network scans.
The second folder contains files and sub-folders consistent with the findings of a penetration test (network and host scanning results, IP addresses, usernames, etc.). socar[.]az is the domain name for the state-owned onshore and offshore oil and gas company, also known as the State Oil Company of the Republic of Azerbaijan.
Finally, the folder “/SOCAR_RESULTS/EXCH,” as the name implies, contains three files indicating an attempt to brute force the exchange server of the socar.az domain.
Although the domain names are similar, socar[.]com and socar[.]az are unrelated entities.
However, the presence of files timestamped in April 2024 across all three folders could raise the possibility that a red team engaged with both organizations and inadvertently exposed their server.
Unsatisfied with our initial findings, we investigated a few more files and folders that stood out to uncover further insights.
Countries & Organizations Targeted
As mentioned in the introduction, sensitive information from various international government agencies was also discovered in the directory.
Unlike the previously mentioned external pentest folder, this data is scattered throughout the server, suggesting the same care wasn’t taken as the initial folder, and these “engagements” are likely unrelated.
Below is a list of the countries and organizations found on the server. We will further discuss each in separate sections.
- Canada → Global Affairs
- Egypt → Mechanical and Electrical Department, Ministry of Military Production
- Moldova → Ministry of Foreign Affairs
- Nepal → Ministry of Foreign Affairs
- Nigeria → Ministry of Foreign Affairs
- Ukraine → National Police Force
Canada
In a text file simply named “GLOBAL_AFFAIRS_EMAILS.txt,” were roughly 100 email addresses for the domain international.gc[.]ca, which is Canada’s Global Affairs office, dealing in diplomatic relations, international trade, and consular services.
Using OSINT sources (LinkedIn & Google), we matched the names in the email addresses to those of individuals currently or previously working for the above office.
A screenshot snippet of the emails (obfuscated for privacy) is below.
Egypt
The most concerning files originated from Egyptian government offices, specifically the Mechanical and Electrical Department (MED) and the Ministry of Military Production (MOMP).
User credentials for both entities, including .ntds and .sam files, were found, indicating access to the domain controller.
*Many of the files seen below in Figure 5 had timestamps for different dates in January 2024.
A file named "MOMP_BLOODHOUND" contained output from the BloodHound tool, revealing easily identifiable attack paths.
Additional files, "MOMP_PASS" and "MOMP_USERS," contained usernames and passwords for the ministry’s network.
These findings suggest that the server administrator or another entity had significant unauthorized access to critical government systems.
Moldova
The files MD_MAILS and maeie.md_emails.txt contain the same email addresses for Moldova’s Ministry of Foreign Affairs (Ministerul Afacerilor Externe și Integrării Europene).
Nepal
The files “mofa.gov.np” and “nitc.gov.np” contain a mix of legitimate and lookalike subdomains that do not resolve to an IP address.
We assess that the fraudulent subdomains, like the domains identified in Figure 1, will likely be used for phishing or similar malicious activities. The domain nitc.gov.np belongs to the National Information Technology Center of Nepal.
Nigeria
Like the global affairs text file, FOREIGNAFFAIRS_MAILS.txt contains a list of Nigeria’s Ministry of Foreign Affairs email addresses.
Ukraine
The only file on the server targeting a law enforcement agency was npu_gov. This file contained several seemingly legitimate email addresses associated with the domain npu.gov.ua, which the National Police of Ukraine uses.
Conclusion
We began our investigation expecting to find just another open directory with open-source offensive security tools, but it quickly turned into something much more intriguing.
The presence of credentials and email address lists unrelated to the so-called external pentest folder raises critical questions: Does this server belong to a penetration testing company conducting authorized assessments, a threat actor who compromised the organizations, or another malicious entity that stole the documents from a different server? The true origin and intent remain unknown, warranting further scrutiny.
Are you curious about what other interesting finds await on exposed servers? Book a free demo today and explore over 8,000 open directories.
Introduction
During routine research of newly identified open directories, the Hunt Research Team made a startling discovery: a server hosting standard pentesting tools and the results of a pentest report for a verified company.
Further investigation revealed a far more troubling find – a cache of credentials and email address lists likely for phishing belonging to government organizations in Egypt, Moldova, Nepal, Nigeria, Canada, and Ukraine.
The above data, which are entirely unrelated to the pentest report, suggests malicious intent by the individual(s) administering the server. In this post, we will expand on our discovery and what it reveals about threat actors' continued targeting of foreign policy officials.
The 15,000-File Surprise
Hosted on the well-known and threat actor-friendly M247 ASN, 91.132.95[.]28, has a Python3.8.10 SimpleHTTP server running on port 1899.
In addition to the open directory, the IP address resolves to a handful of suspicious domains spoofing Nepal’s Ministry of Foreign Affairs and what appears to be a Ukrainian agricultural company (PAEK).
A list of domains is provided below in Figure 1.
Figure 2 shows that the exposed server contains exactly 15,923 files. Due to the volume of files and subfolders, a detailed, file-by-file review is impractical. Instead, we focused on quickly identifying anything immediately suspicious that warranted a further look.
You’ll likely notice the large number of open-source tools our automation identified in the above screenshot. A non-exhaustive list of some of the tools included in the directory is below:
- Evilginx2 & 3
- Sliver
- Chisel
- Impacket
- Havoc C2
- Bloodhound
- Neo-reGeorg
- SecLists
- Gobfuscate
- Ligolo-Ng Proxy
- Mimikatz & Pypykatz
- LaZagne
- many more.
No one would blame you for seeing the above and concluding that it’s time to move on to the next directory.
Scrolling further down the results page, we stumbled upon three folders that caught our attention: /SOCAR.COM/, /SOCAR_AZ_EXTERNAL_PENTEST/, & /SOCAR_RESULTS_EXCH.
socar[.]com is a European meat and poultry exporter. This first folder contains the usernames and email addresses of those at a Turkish subsidiary of Socar and the results of network scans.
The second folder contains files and sub-folders consistent with the findings of a penetration test (network and host scanning results, IP addresses, usernames, etc.). socar[.]az is the domain name for the state-owned onshore and offshore oil and gas company, also known as the State Oil Company of the Republic of Azerbaijan.
Finally, the folder “/SOCAR_RESULTS/EXCH,” as the name implies, contains three files indicating an attempt to brute force the exchange server of the socar.az domain.
Although the domain names are similar, socar[.]com and socar[.]az are unrelated entities.
However, the presence of files timestamped in April 2024 across all three folders could raise the possibility that a red team engaged with both organizations and inadvertently exposed their server.
Unsatisfied with our initial findings, we investigated a few more files and folders that stood out to uncover further insights.
Countries & Organizations Targeted
As mentioned in the introduction, sensitive information from various international government agencies was also discovered in the directory.
Unlike the previously mentioned external pentest folder, this data is scattered throughout the server, suggesting the same care wasn’t taken as the initial folder, and these “engagements” are likely unrelated.
Below is a list of the countries and organizations found on the server. We will further discuss each in separate sections.
- Canada → Global Affairs
- Egypt → Mechanical and Electrical Department, Ministry of Military Production
- Moldova → Ministry of Foreign Affairs
- Nepal → Ministry of Foreign Affairs
- Nigeria → Ministry of Foreign Affairs
- Ukraine → National Police Force
Canada
In a text file simply named “GLOBAL_AFFAIRS_EMAILS.txt,” were roughly 100 email addresses for the domain international.gc[.]ca, which is Canada’s Global Affairs office, dealing in diplomatic relations, international trade, and consular services.
Using OSINT sources (LinkedIn & Google), we matched the names in the email addresses to those of individuals currently or previously working for the above office.
A screenshot snippet of the emails (obfuscated for privacy) is below.
Egypt
The most concerning files originated from Egyptian government offices, specifically the Mechanical and Electrical Department (MED) and the Ministry of Military Production (MOMP).
User credentials for both entities, including .ntds and .sam files, were found, indicating access to the domain controller.
*Many of the files seen below in Figure 5 had timestamps for different dates in January 2024.
A file named "MOMP_BLOODHOUND" contained output from the BloodHound tool, revealing easily identifiable attack paths.
Additional files, "MOMP_PASS" and "MOMP_USERS," contained usernames and passwords for the ministry’s network.
These findings suggest that the server administrator or another entity had significant unauthorized access to critical government systems.
Moldova
The files MD_MAILS and maeie.md_emails.txt contain the same email addresses for Moldova’s Ministry of Foreign Affairs (Ministerul Afacerilor Externe și Integrării Europene).
Nepal
The files “mofa.gov.np” and “nitc.gov.np” contain a mix of legitimate and lookalike subdomains that do not resolve to an IP address.
We assess that the fraudulent subdomains, like the domains identified in Figure 1, will likely be used for phishing or similar malicious activities. The domain nitc.gov.np belongs to the National Information Technology Center of Nepal.
Nigeria
Like the global affairs text file, FOREIGNAFFAIRS_MAILS.txt contains a list of Nigeria’s Ministry of Foreign Affairs email addresses.
Ukraine
The only file on the server targeting a law enforcement agency was npu_gov. This file contained several seemingly legitimate email addresses associated with the domain npu.gov.ua, which the National Police of Ukraine uses.
Conclusion
We began our investigation expecting to find just another open directory with open-source offensive security tools, but it quickly turned into something much more intriguing.
The presence of credentials and email address lists unrelated to the so-called external pentest folder raises critical questions: Does this server belong to a penetration testing company conducting authorized assessments, a threat actor who compromised the organizations, or another malicious entity that stole the documents from a different server? The true origin and intent remain unknown, warranting further scrutiny.
Are you curious about what other interesting finds await on exposed servers? Book a free demo today and explore over 8,000 open directories.
Related Posts:
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.
RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.
Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.
Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.
Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.
Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.