This mass defacement is part of #OpAfrica, an Anonymous social campaign that aims to bring to attention the situation of child labor and government corruption in African countries.The campaign started through hacks against the Rwanda and Uganda governments. Then, there were the hacks against a South African job portal, and eventually the South African Government Communication and Information System (GCIS).
Hacker targeted only one Web hosting company’s customers
On Friday, February 12, the previous Anonymous hackers were joined by Tobitow, who apparently discovered a problem with the shared hosting service provided by Webafrica and took advantage of this issue to deface thousands of websites with a message supporting the #OpAfrica campaign, despite being from Latin America.
Webafrica call center employees confirmed the incident to local South African tech news site.
Right after the hack, Tobitow started posting links to all defaced websites on his Twitter account, but eventually got bored and dumped about 600 of the URLs in a CryptoBinpaste.
South Africa’s CSIRT team issued a national alert
Another local South African tech news site reports that the Computer Security Incident Response Team of South Africa (ECS-CSIRT) has even put out an official advisory about the incident, warning system administrators against the ongoing attack. At the moment of writing this article, the advisory has been removed from ECS-CSIRT’s website, buthtxt.africa took a screengrab.
“The NC – CSIRT team is alerting all organs of State to pay special attention to public facing websites and databases,” the ECS-CSIRT advisory reads. “The methods used are SQL injection and Website defacement on unpatched server operating systems.”
Softpedia stated that they contacted Tobitow to inquire if he accessed or stole any user information from the breached websites or from Webafrica’s database. This information will be updated once an answer is revealed.
UPDATE: Tobitow has told Softpedia that the ECS-CSIRT advisory is wrong and that he used a Joomla vulnerability to access all the defaced websites, not an SQL injection. Additionally, the hacker has also revealed that he did not steal any of Webafrica’s customer data or anything from the defaced websites.