LockBit, Noname57, CyberDragon… Ah The Russians
Disclaimer: You should start by reading here:
As I mentioned before, that server was linked to many other interesting stuff; one of those was a crowdfunding website, let’s called it vulncrowfunding.com. I can’t clearly remember how I stumbled into it, but it was due to some tokens being saved in one of the backup.old folders in vuln.gov.it Not knowing what they were for, we were back to enumerating and OSINT.
This particular website was very interesting because it deals with Italy’s major universities and many other important entities. After many years of Bug bounty, you get a kind of special eye to know if you will find anything just by looking at how a website looks. I was not expecting much since it looked well-maintained, but then I remembered that we are talking about an maintained Italian website and there is always something.
About 20 minutes into poking, there was an Arbitrary File Upload, along with SQLi and Administrator Login Panel bypass. Since this was not an intended target as per vuln.gov.it from EP:1, I decided to reach out to the CEO of the crowdfunding platform both by email and LinkedIn. A few days passed, and no one replied back. Then I tried reaching out to the people in charge of running the page; again, nothing. At this point, I left it at that.
For those who don’t know, Italy is a strong supporter of Ukraine because they align with US policies in Western Europe. This is something Russian hackers don’t like, and starting in 2022, Italy had been getting hacked almost daily. Time goes by, and on the same very day, a year after I tried to reach out to vulncrowfunding.com, I was “reading” into some Russian chats and saw something very interesting, dumps and they were Italians.
Italian News Article