On Thursday, November 15, hackers compromised Daniel’s Hosting, one of the largest Dark Web hosting provider. The news was confirmed by Daniel Winzen, the software developer behind the hosting service.
Daniel’s Hosting became the largest Dark Web hosting provider earlier 2017 when Anonymous members breached and took down Freedom Hosting II.
More than 6500 Dark Web services hosted on the platform were completely deleted and the bad news is that it is not possible to recover them because there are no backups as per design choice of the operator.
Winzen explained that hackers breached into Daniel’s Hosting database and deleted all data. The attackers exploited a PHP zero-day exploit leaked just a day before the hack and that was already fixed in db626a54a4f5, but likely attackers used other flaws.
“On November 15th around 10-11 PM UTC the hosting server got hacked. As per my analysis it seems someone got access to the database and deleted all accounts.” Winzen wrote on the DH website today.
“Noteworthy, also the account “root” has been deleted. To this day around 6500 Hidden Services were hosted on the server. There is no way to recover from this breach, all data is gone. I might re-enable the service once the vulnerability has been found, but right now I first need to find it.”
Winzen his assessing the platform searching for vulnerabilities that attackers might have exploited to compromise the server.
“As of now I haven’t been able to do a full analysis of the log files and need to further analyze them, but based on my findings so far I believe that the hacker has only been able to gain administrative database rights. There is no indication of having had full system access and some accounts and files that were not part of the hosting setup were left untouched,” Winzen told ZDNet.
“I might re-enable the service once the vulnerability has been found, but right now I first need to find it.”
The source code of Daniel’s Hosting platform has been available as open-source on GitHub, a circumstance that might have helped the attackers in review the code and find zero-day flaws to exploit.
Who is the culprit?
It is very hard to attribute the attack to specific threat actors, cybercrime syndicates, nation-state hackers, intelligence, and law enforcement agencies are all possible suspects with valid motivations.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.