< Back to Searchlight Blog

Have COVID-19 Health Organisations been hacked?

Published on 27 Apr 2020 by Illy

Pastebin and Twitter are actively removing files containing thousands of email addresses and passwords, allegedly belonging to various health organisations involved in the fight against COVID-19.

Pastebin and Twitter are actively removing files containing thousands of email addresses and passwords, allegedly belonging to various health organisations involved in the fight against COVID-19. The breach also contains several logins that users have claimed to have used to access private directories in relation to COVID-19 research. The title of some of these lists however, references a credentials database that has been shared amongst criminals since 2016. Suggesting that the contents of the recently shared lists may be cherry picked and outdated data from previous breaches and thus they pose little risk.
alt text The data appeared to first emerge on the forum 4chan before being uploaded to Pastebin and shared on Twitter. This began when a user [1] posted a now deleted tweet containing Pastebin and archive links to multiple data dumps. The content of these sites were quickly archived and re-uploaded on external forums such as Kiwifarms.net, leading the data to remain available despite efforts to take them down. alt text

References:

[1] https://twitter.com/17karnage.

Try our Darknet Intelligence/Forensics tool for free, contact enquiries@slcyber.io


Latest News from Searchlight

20 May 2021

Is all press good press? DarkSide, Colonial Pipeline and Ransomware-as-a-Service

This article explores the darknet structures and relationships sustaining the ransomware ecosystem, and enquires whether the consequences of DarkSide's attack against Colonial Pipeline will affect the continued growth of this lucrative cybercriminal enterprise.

Read more...

03 Mar 2021

Zero-day exploit in Accellion FTA leads to data compromise of multiple companies

This article evaluates the recent slew of data breaches suffered by a range of major organisations as a result of vulnerabilities in the soon-to-be-retired Accellion File Transfer Appliance, as well as the implications of suspected involvement by notorious ransomware gang Cl0p.

Read more...

06 Jan 2021

Covid-19 and the darknet: deceit, disinformation and disruption

Since the beginning of the coronavirus pandemic, darknet actors have exploited the heightened sense of fear and uncertainty for financial and even political gain. In tandem with the much-anticipated rollout of vaccines for the disease in multiple countries worldwide, actors have renewed efforts at Covid-related fraud, disinformation, and cyber-espionage.

Read more...

02 Dec 2020

The quest for Monero deanonymisation and potential impacts on darknet markets

Monero, often hailed by darknet users as the most private cryptocurrency available, has recently been the subject of efforts by security researchers to deanonymise and trace its transactions. How will Monero's potential traceability affect the illicit trade that occurs on darknet markets?

Read more...

Whoops, looks like something went wrong.

1/1 Swift_TransportException in AuthHandler.php line 181: Failed to authenticate on SMTP server with username "notifymcgoo@gmail.com" using 1 possible authenticators

  1. in AuthHandler.php line 181
  2. at Swift_Transport_Esmtp_AuthHandler->afterEhlo(object(Swift_Transport_EsmtpTransport)) in EsmtpTransport.php line 332
  3. at Swift_Transport_EsmtpTransport->_doHeloCommand() in AbstractSmtpTransport.php line 118
  4. at Swift_Transport_AbstractSmtpTransport->start() in FileSpool.php line 149
  5. at Swift_FileSpool->flushQueue(object(Swift_Transport_EsmtpTransport)) in SwiftmailerServiceProvider.php line 95
  6. at SwiftmailerServiceProvider->Silex\Provider\{closure}(object(Request), object(TemplateResponse), object(Application))
  7. at call_user_func(object(Closure), object(Request), object(TemplateResponse), object(Application)) in Application.php line 387
  8. at Application->Silex\{closure}(object(PostResponseEvent), 'kernel.terminate', object(TraceableEventDispatcher)) in WrappedListener.php line 61
  9. at WrappedListener->__invoke(object(PostResponseEvent), 'kernel.terminate', object(EventDispatcher)) in EventDispatcher.php line 184
  10. at EventDispatcher->doDispatch(array(object(WrappedListener), object(WrappedListener), object(WrappedListener)), 'kernel.terminate', object(PostResponseEvent)) in EventDispatcher.php line 46
  11. at EventDispatcher->dispatch('kernel.terminate', object(PostResponseEvent)) in TraceableEventDispatcher.php line 133
  12. at TraceableEventDispatcher->dispatch('kernel.terminate', object(PostResponseEvent)) in HttpKernel.php line 77
  13. at HttpKernel->terminate(object(Request), object(TemplateResponse)) in Application.php line 598
  14. at Application->terminate(object(Request), object(TemplateResponse)) in Application.php line 565
  15. at Application->run(object(Request)) in Application.php line 97
  16. at Application->run() in index.php line 12
Uncaught Exception: Swift_TransportException

Uncaught Exception: Swift_TransportException .

Swift_TransportException in AuthHandler.php line 181:
Failed to authenticate on SMTP server with username "notifymcgoo@gmail.com" using 1 possible authenticators

                    if ($authenticator->authenticate($agent, $this->_username, $this->_password)) {
                        return;
                    }
                }
            }
            throw new Swift_TransportException(
                'Failed to authenticate on SMTP server with username "'.
                $this->_username.'" using '.$count.' possible authenticators'
                );
        }
    }

Google this Exception

Stack trace

# 1 \Swift_Transport_Esmtp_AuthHandl …::afterEhlo(Swift_Transport_EsmtpTransport)
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/EsmtpTransport.php # line 332
# 2 \Swift_Transport_EsmtpTransport::_doHeloCommand()
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/AbstractSmtpTransport.php # line 118
# 3 \Swift_Transport_AbstractSmtpTra …::start()
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/FileSpool.php # line 149
# 4 \Swift_FileSpool::flushQueue(Swift_Transport_EsmtpTransport)
[root]/vendor/silex/silex/src/Silex/Provider/SwiftmailerServiceProvider.php # line 95
# 5 Silex\Provider\SwiftmailerServiceProvider::Silex\Provider\{closure}(Request, TemplateResponse, Application)
# 6 call_user_func(Closure, Request, TemplateResponse, Application)
[root]/vendor/silex/silex/src/Silex/Application.php # line 387
# 7 Silex\Application::Silex\{closure}(PostResponseEvent, "kernel.terminate", TraceableEventDispatcher)
[root]/vendor/symfony/event-dispatcher/Debug/WrappedListener.php # line 61
# 8 Symfony\Component\EventDispatcher\Debug\WrappedListener::__invoke(PostResponseEvent, "kernel.terminate", EventDispatcher)
[root]/vendor/symfony/event-dispatcher/EventDispatcher.php # line 184
# 9 Symfony\Component\EventDispatcher\EventDispatcher::doDispatch([array], "kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/event-dispatcher/EventDispatcher.php # line 46
# 10 Symfony\Component\EventDispatcher\EventDispatcher::dispatch("kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php # line 133
# 11 Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher::dispatch("kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/http-kernel/HttpKernel.php # line 77
# 12 Symfony\Component\HttpKernel\HttpKernel::terminate(Request, TemplateResponse)
[root]/vendor/silex/silex/src/Silex/Application.php # line 598
# 13 Silex\Application::terminate(Request, TemplateResponse)
[root]/vendor/silex/silex/src/Silex/Application.php # line 565
# 14 Silex\Application::run(Request)
[root]/vendor/bolt/bolt/src/Application.php # line 97
# 15 Bolt\Application::run()
[root]/public/index.php # line 12


Request data

content (empty)
languages en_US
en
charsets (empty)
encodings br
gzip
acceptableContentTypes text/html
application/xhtml+xml
application/xml
*/*
pathInfo /news/have-covid-19-health-organisations-been-hacked
requestUri /news/have-covid-19-health-organisations-been-hacked
baseUrl (empty)
basePath (empty)
method GET

Headers

host ["bolt"]
connection ["close"]
user-agent ["CCBot/2.0 (https://commoncrawl.org/faq/)"]
accept ["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"]
accept-language ["en-US,en;q=0.5"]
accept-encoding ["br,gzip"]

Server

HTTP_HOST bolt
HTTP_CONNECTION close
HTTP_USER_AGENT CCBot/2.0 (https://commoncrawl.org/faq/)
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE en-US,en;q=0.5
HTTP_ACCEPT_ENCODING br,gzip
PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SERVER_SIGNATURE <address>Apache/2.4.25 (Debian) Server at bolt Port 80</address>
SERVER_SOFTWARE Apache/2.4.25 (Debian)
SERVER_NAME bolt
SERVER_ADDR 192.168.80.2
SERVER_PORT 80
REMOTE_ADDR 192.168.80.3
DOCUMENT_ROOT /var/www/html/public
REQUEST_SCHEME http
CONTEXT_PREFIX (empty)
CONTEXT_DOCUMENT_ROOT /var/www/html/public
SERVER_ADMIN [no address given]
SCRIPT_FILENAME /var/www/html/public/index.php
REMOTE_PORT 39630
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.0
REQUEST_METHOD GET
QUERY_STRING (empty)
REQUEST_URI /news/have-covid-19-health-organisations-been-hacked
SCRIPT_NAME /index.php
PHP_SELF /index.php
argv []
Arguments:
array:1 [
  0 => Swift_Transport_EsmtpTransport {
    -_handlers: array:1 [
      "AUTH" => Swift_Transport_Esmtp_AuthHandler {
        -_authenticators: array:3 [
          0 => Swift_Transport_Esmtp_Auth_CramMd5Authenticator {}
          1 => Swift_Transport_Esmtp_Auth_LoginAuthenticator {}
          2 => Swift_Transport_Esmtp_Auth_PlainAuthenticator {}
        ]
        -_username: "notifymcgoo@gmail.com"
        -_password: "6690823boyded"
        -_auth_mode: "login"
        -_esmtpParams: array:6 [
          0 => "LOGIN"
          1 => "PLAIN"
          2 => "XOAUTH2"
          3 => "PLAIN-CLIENTTOKEN"
          4 => "OAUTHBEARER"
          5 => "XOAUTH"
        ]
      }
    ]
    -_capabilities: array:7 [
      "SIZE" => array:1 [
        0 => "35882577"
      ]
      "8BITMIME" => []
      "AUTH" => array:6 [
        0 => "LOGIN"
        1 => "PLAIN"
        2 => "XOAUTH2"
        3 => "PLAIN-CLIENTTOKEN"
        4 => "OAUTHBEARER"
        5 => "XOAUTH"
      ]
      "ENHANCEDSTATUSCODES" => []
      "PIPELINING" => []
      "CHUNKING" => []
      "SMTPUTF8" => []
    ]
    -_params: array:8 [
      "protocol" => "tcp"
      "host" => "smtp.gmail.com"
      "port" => 587
      "timeout" => 30
      "blocking" => 1
      "tls" => true
      "type" => 1
      "stream_context_options" => []
    ]
    #_buffer: Swift_Transport_StreamBuffer {
      -_stream: &1 stream resource @1004
        crypto: array:4 [
          "protocol" => "TLSv1.2"
          "cipher_name" => "ECDHE-ECDSA-AES128-GCM-SHA256"
          "cipher_bits" => 128
          "cipher_version" => "TLSv1.2"
        ]
        timed_out: false
        blocked: true
        eof: false
        stream_type: "tcp_socket/ssl"
        mode: "r+"
        unread_bytes: 0
        seekable: false
        options: []
      }
      -_in: &1 stream resource @1004
      -_out: &1 stream resource @1004
      -_params: array:8 [
        "protocol" => "tcp"
        "host" => "smtp.gmail.com"
        "port" => 587
        "timeout" => 30
        "blocking" => 1
        "tls" => true
        "type" => 1
        "stream_context_options" => []
      ]
      -_replacementFactory: Swift_StreamFilters_StringReplacementFilterFactory {
        -_filters: []
      }
      -_translations: []
      #_sequence: 28
      -_filters: []
      -_writeBuffer: ""
      -_mirrors: []
    }
    #_started: false
    #_domain: "[192.168.80.2]"
    #_eventDispatcher: Swift_Events_SimpleEventDispatcher {
      -_eventMap: array:5 [
        "Swift_Events_CommandEvent" => "Swift_Events_CommandListener"
        "Swift_Events_ResponseEvent" => "Swift_Events_ResponseListener"
        "Swift_Events_SendEvent" => "Swift_Events_SendListener"
        "Swift_Events_TransportChangeEvent" => "Swift_Events_TransportChangeListener"
        "Swift_Events_TransportExceptionEvent" => "Swift_Events_TransportExceptionListener"
      ]
      -_listeners: []
      -_bubbleQueue: []
    }
    #_sourceIp: null
  }
]
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
Arguments:
array:1 [
  0 => Swift_Transport_EsmtpTransport {
    -_handlers: array:1 [
      "AUTH" => Swift_Transport_Esmtp_AuthHandler {
        -_authenticators: array:3 [
          0 => Swift_Transport_Esmtp_Auth_CramMd5Authenticator {}
          1 => Swift_Transport_Esmtp_Auth_LoginAuthenticator {}
          2 => Swift_Transport_Esmtp_Auth_PlainAuthenticator {}
        ]
        -_username: "notifymcgoo@gmail.com"
        -_password: "6690823boyded"
        -_auth_mode: "login"
        -_esmtpParams: array:6 [
          0 => "LOGIN"
          1 => "PLAIN"
          2 => "XOAUTH2"
          3 => "PLAIN-CLIENTTOKEN"
          4 => "OAUTHBEARER"
          5 => "XOAUTH"
        ]
      }
    ]
    -_capabilities: array:7 [
      "SIZE" => array:1 [
        0 => "35882577"
      ]
      "8BITMIME" => []
      "AUTH" => array:6 [
        0 => "LOGIN"
        1 => "PLAIN"
        2 => "XOAUTH2"
        3 => "PLAIN-CLIENTTOKEN"
        4 => "OAUTHBEARER"
        5 => "XOAUTH"
      ]
      "ENHANCEDSTATUSCODES" => []
      "PIPELINING" => []
      "CHUNKING" => []
      "SMTPUTF8" => []
    ]
    -_params: array:8 [
      "protocol" => "tcp"
      "host" => "smtp.gmail.com"
      "port" => 587
      "timeout" => 30
      "blocking" => 1
      "tls" => true
      "type" => 1
      "stream_context_options" => []
    ]
    #_buffer: Swift_Transport_StreamBuffer {
      -_stream: &1 stream resource @1004
        crypto: array:4 [
          "protocol" => "TLSv1.2"
          "cipher_name" => "ECDHE-ECDSA-AES128-GCM-SHA256"
          "cipher_bits" => 128
          "cipher_version" => "TLSv1.2"
        ]
        timed_out: false
        blocked: true
        eof: false
        stream_type: "tcp_socket/ssl"
        mode: "r+"
        unread_bytes: 0
        seekable: false
        options: []
      }
      -_in: &1 stream resource @1004
      -_out: &1 stream resource @1004
      -_params: array:8 [
        "protocol" => "tcp"
        "host" => "smtp.gmail.com"
        "port" => 587
        "timeout" => 30
        "blocking" => 1
        "tls" => true
        "type" => 1
        "stream_context_options" => []
      ]
      -_replacementFactory: Swift_StreamFilters_StringReplacementFilterFactory {
        -_filters: []
      }
      -_translations: []
      #_sequence: 28
      -_filters: []
      -_writeBuffer: ""
      -_mirrors: []
    }
    #_started: false
    #_domain: "[192.168.80.2]"
    #_eventDispatcher: Swift_Events_SimpleEventDispatcher {
      -_eventMap: array:5 [
        "Swift_Events_CommandEvent" => "Swift_Events_CommandListener"
        "Swift_Events_ResponseEvent" => "Swift_Events_ResponseListener"
        "Swift_Events_SendEvent" => "Swift_Events_SendListener"
        "Swift_Events_TransportChangeEvent" => "Swift_Events_TransportChangeListener"
        "Swift_Events_TransportExceptionEvent" => "Swift_Events_TransportExceptionListener"
      ]
      -_listeners: []
      -_bubbleQueue: []
    }
    #_sourceIp: null
  }
]
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)