Italy's Ministery of Healthcare hacked and Blackmails WhiteHat
by ItalyIsMafia - November 01, 2021 at 03:28 PM
#1
Long story of how this happened:

Spoiler
I'm online writing a script for some 0's i wanna test, here comes a contact asking me if i could get vaccines, asks for EU, he specifically asked for Italy.
I thought "No problem" italian devs are chimps, it will be ez if it all works by web.
I did not think it would be THAT ez, after less than 1h i found a hole and it took me 8 hours to have complete control over the DB's, Linux shell with 90% privilege (and i had 0 knowledge of the underlying infostructure or system lmao) .
I got some credentials, gave the vaccine to my friend and started getting to know better the system,
low and behold,
there was access to too much critical infostructure, I could've made people arrested by cancelling their vaccines, i could've get data about shipments, containers, anything ANYTHING healthcare related, i had access to 100%, mail servers, bla bla bla, 100% pwned.

Due to there being too much critical info-structure and not having any fitting operation to do with it, i decided to pay a jabber advert and find a buyer.
I get contacted by a guy,
he asks screenshots
tells me that hes starting a cyber sec company and he would like to buy it (the access) to report it,
i tell him to not do it because in Italy they are chimps and he is only wasting money,
he ignores me and keeps asking for the access
i sell him the accesses for 15k$ in monero
he contacts the technicians to report it, tells them his name and company
> technician tells they were not aware of the hack and it was not possible (they were hacked from 7 days~ already, they are most surely not able to do their job) they asked him to send proofs by email, he asks me proofs and he forwards them to the 'technicians'
> one day goes by, then they write to him an email asking more information and more about a possible "partnership"
> they stop answering
> my client sends them an email asking to notify everyone (millions) as per GDPR law of the breach,
> (the technicians department of the Ministery of Healthcare people) start forging emails with Ministery of Justice Judges names people and they blackmail him
1) The technicians did not lawfully oblige to disclose breaches as per GDPR european law.
2) They blackmailed a whitehat security researcher by email with fake names,
3) They blackmailed him on instagram (WTF)
4) They removed a page thinking it would fix the problem, instead of hiring someone professional. they are still vulnerable.
By not going trough the official and right way, they have achieved shitting on any law and leaving one of the most if not the most critical infostructure vulnerable.

tl;dr
Don't target Italian systems because they are poor retarded chimps, this poor guy wasted 15k in hope to, since millions of people and the most critical info-structure got hacked, he thought that by reporting it they would then publish a statement of breach to notify the millions involved and quote his company for notifying them.
He learned the hard way Italy is not a country but instead a mafia,
since I've never heard of a legit country like Germany or Denmark Ministery being notified of a breach and blackmailing the person that let them know it for this information to not become public.

btw i spoke with him (my customer) and he told me so today, he told me that "I attempted writing to the Media and got no response, I attempted disclosing it to the technicians and i got blackmailed, i got no use of this anymore i consider my money wasted, do as you please with it"
so, take this as a reminder from a BH to both WH and BH's onhere, don't work with Italy, let them be abused and die as a country, because surely they don't have a system that is worth defending (nor pwning).


Hidden Content
You must register or login to view this content.
#2
Uhm you have share only Apache LOG and long story…why you don’t share the leaked data?
#3
Could you please post the sample data?
#4
WTF!! not the first time I hear similar stories about Italy but yea WTF
#5
(November 02, 2021 at 03:44 AM)mackintosh Wrote: Could you please post the sample data?
quote! Biggrin if anyone can post sample data would be interesting to understand the circumstances
#6
hi i'm looking for sample of this story
#7
https://twitter.com/AndreaDraghetti/stat...28/photo/3
#8
It seem that you are a bit angry mate ;-) , would it be possible if you could tell what vulnerability's were exploited ? ( would be nice to know ;-) )  

(November 01, 2021 at 03:28 PM)ItalyIsMafia Wrote: Long story of how this happened:

Spoiler
I'm online writing a script for some 0's i wanna test, here comes a contact asking me if i could get vaccines, asks for EU, he specifically asked for Italy.
I thought "No problem" italian devs are chimps, it will be ez if it all works by web.
I did not think it would be THAT ez, after less than 1h i found a hole and it took me 8 hours to have complete control over the DB's, Linux shell with 90% privilege (and i had 0 knowledge of the underlying infostructure or system lmao) .
I got some credentials, gave the vaccine to my friend and started getting to know better the system,
low and behold,
there was access to too much critical infostructure, I could've made people arrested by cancelling their vaccines, i could've get data about shipments, containers, anything ANYTHING healthcare related, i had access to 100%, mail servers, bla bla bla, 100% pwned.

Due to there being too much critical info-structure and not having any fitting operation to do with it, i decided to pay a jabber advert and find a buyer.
I get contacted by a guy,
he asks screenshots
tells me that hes starting a cyber sec company and he would like to buy it (the access) to report it,
i tell him to not do it because in Italy they are chimps and he is only wasting money,
he ignores me and keeps asking for the access
i sell him the accesses for 15k$ in monero
he contacts the technicians to report it, tells them his name and company
> technician tells they were not aware of the hack and it was not possible (they were hacked from 7 days~ already, they are most surely not able to do their job) they asked him to send proofs by email, he asks me proofs and he forwards them to the 'technicians'
> one day goes by, then they write to him an email asking more information and more about a possible "partnership"
> they stop answering
> my client sends them an email asking to notify everyone (millions) as per GDPR law of the breach,
> (the technicians department of the Ministery of Healthcare people) start forging emails with Ministery of Justice Judges names people and they blackmail him
1) The technicians did not lawfully oblige to disclose breaches as per GDPR european law.
2) They blackmailed a whitehat security researcher by email with fake names,
3) They blackmailed him on instagram (WTF)
4) They removed a page thinking it would fix the problem, instead of hiring someone professional. they are still vulnerable.
By not going trough the official and right way, they have achieved shitting on any law and leaving one of the most if not the most critical infostructure vulnerable.

tl;dr
Don't target Italian systems because they are poor retarded chimps, this poor guy wasted 15k in hope to, since millions of people and the most critical info-structure got hacked, he thought that by reporting it they would then publish a statement of breach to notify the millions involved and quote his company for notifying them.
He learned the hard way Italy is not a country but instead a mafia,
since I've never heard of a legit country like Germany or Denmark Ministery being notified of a breach and blackmailing the person that let them know it for this information to not become public.

btw i spoke with him (my customer) and he told me so today, he told me that "I attempted writing to the Media and got no response, I attempted disclosing it to the technicians and i got blackmailed, i got no use of this anymore i consider my money wasted, do as you please with it"
so, take this as a reminder from a BH to both WH and BH's onhere, don't work with Italy, let them be abused and die as a country, because surely they don't have a system that is worth defending (nor pwning).


[Hidden Content]
#9
To whoever wants this shit...it's outdated and there's no dump...just GET calls where most of them don't even work. Don't waste your 8 creds on this.
#10
Legit Questions, many doubts, thats how it works in the underground world.
Let me address a couple of things first.
At the moment of the hack, all the files were downloaded exclusively on the server used for the attack only. (so no backups)
Once the hack had taken place, i found relatively fast a buyer hence due to the type of "Trust/Reputation" based platforms usually, You don't download / retain etc files or data for yourself if You're planning to sell or had sold an access.
Once i sold the access, after money had been released from escrow, i had no contact (only once after a couple of weeks i will explain it down) with the customer for 2 months~ (up untill the day i posted here), when he told me what happened, I booted up a VM that was used to access the server that was used for the hack,
due to the nature of VM's and freeze function, I was able to have back the ssh terminal with cached commands and outputs, from which i copied and posted the logs.


1) the client requested after a couple of weeks to renew the machine hosting, since he didn't know if they would need access to it or not.
2) the hosting expired and there are no backups of the files.
3) in order to report it as whitehat and not go to jail, my client was unable to both
a) access the server in any way, as he would get in contact with people's personal information etc.
b) even less was able to download anything from the machine as it would count as he hacked it.

what is posted inhere, is a collection of the screenshots of the things that i had in cache and can screenshot/copy/leak.
the intention of the post was never to dump the entire healthcare db, it would be a huge damage and it could collapse the economy, the only intention of this post was to
1) Bring enough media attention to push a change in the technical department and criminal charges against the monkey that instead of doing his job for 12 years collected 40% of taxes from italian people and then when showcased holes, kicks the WH in the ass and Threatens him.
2) My client told me he experienced being paranoid due to a couple of facts:
A) A critical infostructure system in which any foreign country would be interested in accessing was so easy to hack in 8 hours (i consider myself just over amateur if confronted to APT's)
A.1) My client disclosed it by email to the technical department including his name, country, company.
A.2) The email was newly created just as the company so there was no email sent to anyone else EXCEPT the technical department.
A.3) The mail system is on the same server.
A.4) The system is vulnerable from 11+ Years, making it basically impossible to be sane with your mind to say that no APT ever accessed it or compromised it beforehand.
B) Client receives on Instagram a message from a throwaway account in english "Are You the guy that sent an email to an important Ministery?"


My client genuinely thought for a couple of days that:
A) he would get killed from some foreign country that had breached it, been listening to the emails and wanted to take out the threat.
B) the technicians purposefully put this "vulnerability" in exchange of a bribe for a foreign country, which we go to the A) surely not far from there.
Maybe it's a bit too paranoid, but I can understand if My data would to be sent in such a way, have the counterpart not agree on any deal or help (to dodge it in a dodgy way) and then you receive a message on your private Instagram in ENGLISH about an EMAIL you wrote to someone, that no one except that person receiving AND someone that had breached the server could have access to.


--so to end that bullshit making it public and getting the people that needs to be arrested (blackmailing technicians) get them arrested will put an end to this story and make just a bit better such a corrupt country.

by the way, i came back to post some more stuff and again spoken and asked more info to my customer but this is probably the last time,
i'm not a paid mediator, for me it's not publicity stunt, i just feel bad for the guy that wanted to do the right thing and got shit on the head from an unschooled unskilled 50+ years old chimp just because he has the power of blackmail for which WE get treated as TERRORIST, to them, nothing happens, they are heroes working in the background.


to put in sense some of the screenshots which were provided by the client (only things provided are email and instagram screenshots, all the remaining is coming from me)

[ Recap of the timings: ]
hacked
sold
customer contacts technicians
technicians said they did not see any hack (and it been 1 week already) and to send an email
customer sends email
day later technician replies asking for more information
the day later whitehat receives strange message on instagram, i quote "Are You the guy who wrote an email to an important Ministery?"
--customer says he didnt screenshot immediately because he thought they were going to talk further so there was no hurry, my client responded to him, after a couple of minutes he saw the reply and deleted his message from instagram and his account (in the same time, also removed the message request on FACEBOOK since he wrote on facebook too but my client noticed only when logging in and seeing a strange name disappear on page load from the "Message Requests" just after the technician deleted his instagram account.
couple of days go by and customer messages them asking on the status of the things and to report the hack due to GDPR law.
NO RESPONSE FROM TECHNICIANS
empty email from @gmail with name of a Ministery of Justice Judge (aka the people that can fuck anyone for a long time if they wanted) to whitehat client that did not disclose the email to no one(fresh)
My client took the email and checked it on haveibeenpwned and got no match,
he understood it was all a generated fake email from the technicians as an attempt to blackmail and obtain fear and silence from him so to not get them pushed to publish them being hacked as they would most certainly lose their job, and there is no better job
than being paid millions and doing nothing for 12 years, congratz.

Anyway, here you have it
https://ufile.io/twwnpacm
password: gdsa8(DSGKLXCM<VN%X^X*K#TBSHDV'[email protected]
#11
They should make a TV show on this. Over five months ago, I told some Italian journalists their infrastructures are designed to fail, and I'm not surprised to read this today.
#12
Great leak. Italy's government is corrupt as fuck.

Possibly Related Threads…
Thread Author Replies Views Last Post
1311843 Lines Corp Italy ERBOX13V 7 3,270 November 23, 2021 at 05:09 PM
Last Post: Lycanroc
Italy 361K with mobile phone albpda 41 18,345 November 03, 2021 at 09:28 PM
Last Post: Jimmy02
HIGHMARK.COM DATA + VULN [HEALTHCARE] Corvinus 4 1,810 October 29, 2021 at 04:18 PM
Last Post: Jaw

 Users browsing this thread: 1 Guest(s)