Abdelmalek Essaâdi University Data Breach

• Incident Name : University of Abdelmalek Essaadi Data Breach.
• Report Author : Leonids Labs intelligence team.
• Report Date : 25/09/2023.
• Publishing Date : 16/01/2023

 

Full report can be downloaded from link below.

 

Summary :

 

The Abdelmalek Essaâdi University Data Breach occurred on September 4, 2023, when a threat actor named 3g86 breached the university’s master’s degree platform. The compromised data, containing critical personally identifiable information (PII), was advertised for sale on the Cyb3r Drag0nz Telegram channel. The threat actor group, identified as Cyb3r Drag0nz engaged in various malicious activities, including defacements and attacks against Moroccan websites.

 

The breach timeline includes the initial announcement on September 4, 2023, followed by defacements of Moroccan websites and DDOS attacks on the national portal. The threat actors also claimed to stop attacks temporarily in sympathy with the Moroccan people after Al-Houz/Marrakesh earthquake. On September 12, 2023, the University of Abdelmalek Essaadi’s data was officially put up for sale, consisting of three databases with approximately 160,000 records, including highly sensitive PII.

 

Threat Actor Actions and Tactics:

The threat group, Cyb3r Drag0nz (Cyber Dragons), demonstrated a campaign of mass defacements targeting Iraq, Israel, Brazil, and Morocco. The Diamond Model Vertices analysis highlights their infrastructure, victims, and capabilities, involving PHP CMSs, ASP.NET, WordPress plugins, brute force attacks, PHP backdoors, and DDOS attacks.

 

Data Compromise Details & Impact Assessment:

The compromised data includes three databases with approximately 160,000 records, containing full names, phone numbers, national ID details, birth dates, nationality, gender, semesters grades, and high school grades. The lpuae_lpaue.sql database also contains file records of uploaded documents, including scans and PDFs of academic credentials, passport information, and hashed passwords. The breach resulted in the exposure of sensitive information, raising concerns about identity theft and other malicious activities.

 

Threat Actor Identification & De-Anonymization Efforts:

The report identifies three major actors in the Cyb3r Drag0nz group, including 3g86 (Shaban), SMoker666 (RealSMO), and Exp1o5iveDisorder (Sahand). Efforts were made to de-anonymize 3g86, revealing potential real name Shaban and associated online accounts. SMoker666 was traced to Saudi Arabia, and Exp1o5iveDisorder was identified as Sahand Omar Ali, possibly based in Erbil, Iraq.

 

Recommendations & Mitigation Actions:

The report recommends fully updating and securing web technologies, deploying web security solutions, and advising students to change passwords and enable two-factor authentication. Developers are advised to integrate encryption best practices, including using strong hash algorithms and encrypting uploaded files.

 

Ongoing Threat Intelligence and Monitoring:

Available only upon The Morocccan Gov requests and Cybersecurity firms.

 

Addenda:

For additional information or resources related to the breach, the report suggests contacting Leonids Labs via email at LeonidsLabs-intel[at]leonidslabs[.]com.

 

Download Report

 

Tags : cybersécurité - cybersecurity - databreach - threat intelligence - CTI - darkweb - maroc - morocco