Hacker GhostShell is back, leaking data from 32 companies with open FTP directories

Beware admins with lax security hygiene. The hacker GhostShell is back, leaking data from 32 targets with open FTP and promising more 'light hacktivism' dumps to come.

hacker hack
Credit: Gerd Altmann

Beware lazy admins! You surely didn’t leave open FTP ports, but you might want to double-check a few things before you end up in a data dump highlighting poor cybersecurity hygiene. It doesn’t take an uber hacker to find open FTP directories, but a fairly infamous hacker, GhostShell, intends to disclose those security holes and dump the data online.

A few months ago, GhostShell doxed himself with the hope it would result in being offered a legitimate “white hat” job in cybersecurity. The 24-year-old Romanian hacker, Razvan Eugen Gheorghe, lived a mere 1.2 miles from a law enforcement squad which has previously arrested other active hackers. He allegedly believed the doxing might get him arrested, but then he could reach a plea bargain to use his skills for good by gaining employment as a white hat.

That plan must not have worked out so well for him, because GhostShell is back; he kicked off a “light hacktivism” campaign which includes a data dump from 32 targeted sites, from “over a dozen industries,” putting “millions of people at risk.”

GhostShell light hacktivism targets 32 sites @GhostShellNews

On Pastebin, GhostShell wrote:

This is me raising awareness to the on-going open FTP directories that still plague the net even after all these decades. Despite warnings in the past about the dangers posed by leaving your ports open and unprotected, netizens small and large are still paying no attention to it effectively leaving their networks unprotected to even the newbies of this industry.

I've comprised a list of targets that range across the field, from government, educational, medical, industrial, retail, personal and many others.

GhostShell wants the leak to be taken seriously, he said, so he “leaked some credit card information” that has “recently expired.” He added:

I am willing to prove more in private to any researcher out there that even CC/CCv is stored in plaintext on open ports. Medical data is also present but it has been censored, the sensitive stuff. Still, accounts - usernames, password are present. Personal identities, names, addresses, phone numbers etc. are also there.

He advised never underestimating the simplest of vulnerabilities since they often “end up being anyone’s downfall. Light Hacktivism is about finding and exposing those vulnerabilities to the public so that they can be patched.”

GhostShell told Softpedia that more leaks are planned. “The first batch of targets was hacked due to negligent admins.” If a company left open FTP ports and directories, GhostShell said he “found sensitive data and sometimes admin credentials for the whole server.” Softpedia added, “In some cases, GhostShell claims that he used these vulnerable FTP setups to escalate his access to the entire server, from where he exfiltrated more or less sensitive information.”

GhostShell dumped data online from the following 32 targets; his Pastebin notice includes the targeted sites as well as three mirrors for each set of leaked data. 

GhostShell light hacktivism first 32 targets with FTP leaks

Does someone out there want to give this guy a legit job? If not, then his Pastebin ended with the following postscript:

PS: Expect the restart of projects on the main Pastebin account in the near future with the usual leaks.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.