How can a illegitimate access to cPanal be abused?
Hackers find various ways to abuse. cPanal is the dashboard for the users to control overall domain. Illegitimate access to such critical place, chances of potential threat is maximum.
I assure that, there were no illegal activities were conducted and researched for educational purpose only. All of my findings are based during my research.
I am a cyber security researcher. I lurk into various part of internet. To keep myself informed I visit hacking/cyber-criminal/underground forums.
I came across an announcement post in one of the infamous hacking forum from a user exposing username and password of a renowned news portal from Nepal.
The site is still active and most likely to be abused for malicious act sooner or later. So, to minimize the details has been hidden.
Threat actor getting hands on admin access to cPanal of website, he/she can leverage the power. Leaking every possible data on the server and questioning the security posture of overall system is one threat, while, in the other hand, selling those data in underground marketplace for certain amount is another threat to data prevention.
Once the hacker enters the cPanel, he/she can impersonate the administrator and use that access for something “exclusive”. Web defacement is an attack in which bad actors delete or modify the content on the site,replacing it with their own messages.
Here, there was a file “test.txt”, browsing it, we get a message which says, “venant de rf” which later translated as “coming from rf”. RF refers to the abbreviation name of underground forum where the access to this cPanel was exposed.
Cyber threats would reduce by 70% if there was no thing such “Phishing”. Its rising forever. Bad guys plant their phishing kits to hacked domains, similar to the one we are looking. The phishing kits are designed in a way that it could easily fool the victim to give their credentials. This techniques are used for running a phishing campaign targeting specific organization or it could be to the mass.
Another existing example of possible threat would be hosting a malicious software. In this case study, we don’t find malware but a .mp4 file of a “meme” hosted on a CDN of discord. Hosing malware on Discord CDN has been common methods of malicious actors in last few months.
Here, new subdomain was created that redirect to CDN to download the file. It is very possible to replace hell_nah.mp4 malware with malware executable.
At last, as announced the exposed domain belongs to News Portal in Nepal. Fake news spreads fasts and coming from renowned source would impact in thousands. Slightly modifying the content of any articles is threat that can be caused with this.
To conclude, I would personally recommend to have a security team, QA for the website. Following the security researchers who look after the internet activities can also be beneficial for an organization. :P
