Recently the hacker group “Lizard Squad” got worldwide attention for their high profile DDoS operations against Xbox, Sony and others. Several members of the group have since been arrested. These events were covered by many news and security related sites.

The group publically sells a DDoS-for-hire service called the “Lizard Stresser”, where anyone can pay to take down a corporate or an individual website for a specific period of time. As DDoS services are commonly sold in the “underground”, having it “as-a-service” while you control the DDoS operation is relatively new.

 

                                                                         

Several days ago, in mid-January 2015, Lizard’s DDoS service was hacked and a copy of its database was leaked due to multiple vulnerabilities in their web application. Several Cross-Site scripting vulnerabilities allowed the attackers to inject code that could be executed on arbitrary users, including the DDoS service administrators, while another SQL injection vulnerability probably allowed the leakers to obtain the system database with the potential to take over Lizard’s servers. The customer database was exfiltrated and posted on hacking forums.

More details on discovered vulnerabilities:

http://www.vulnerability-lab.com/get_content.php?id=1417

 

Inside the Database

 

The leaked database reveals customer related information, payments and attack logs. Customer passwords were stored in clear-text enabling anyone with an access to the copy of the database to take over those accounts.

There are around 13,000 registered users in the database. There are logs of other users as well who may have been deleted from the registered users list.

According to the records there were more than 7,000 bitcoin payments resulting in a total amount of around 1,630 bitcoins, which are estimated around $350,000 at the week of the leak.

Most of the clients paid less than 10 times and there were only 5 users who paid more than $1,000. The highest expense was more than 5.68 bitcoins (~$1,200 on the leak week) spent in a large number of payments (244 transactions each of $5).

The longest recorded attack from a single user was a total of almost 95 hours against 20 different targets, while the longest attack against a single target was 40 hours. It may have been carried out by one of the Lizard Squad members, as there are no payments found related to the associated username.

There were only 26 attacks which lasted more than 5 hours on a single target from a single user. There were more than 50 targets attacked by a group of users.

Not surprisingly, “Xbox Live” and “Sony” servers were among the targets. You can check here if you have been a victim of that DDoS service looking for your IP addresses in this list:

http://pastebin.com/EGbEE72y

(A list of DNS names for some of the IP addresses: http://pastebin.com/699EpAWU)

 

Afterword

 

While everybody in the industry knows that implementing security controls and protecting your network and applications are critical to protecting your business, it’s ironic to find that “hackers” fall victim.