A hacking crew that goes by the name of National Hackers Agency (NHA) has defaced 605 websites in one go after they managed to get access to a server from UK hosting firm DomainMonster.
The attacks, brought to Bleeping Computer's attention by a member of another hacking crew, took place on Tuesday, February 21, and were all cached via Zone-H, a service that archives defaced websites.
All defaced websites were hosted on the IP address 188.8.131.52, registered to Mesh Digital, the legal name of DomainMonster.com, a company that provides domain registration, website building, and website hosting services.
On Twitter, the company acknowledged the attacks but gave little details about what happened. No official statement was published on its site, or one that we could find. All the websites we checked from the defaced list are now up and running.
At the time of writing, no new defacement hosted on the same server has been registered via Zone-H, meaning DomainMonster either plugged the hole, or NHA has yet to launch another attack.
It is unknown what kind of access the hackers gained, but since they jumped across different customer accounts, access to the underlying server was most likely achieved. Data hosted on those servers should be considered compromised, and most likely stolen since many defacers often steal and sell data on underground markets.
All defaced websites linked to NHA's Facebook page. On Friday, the page was down, most likely following a user report. NHA continued their defacements in the following days, with new attacks, this time on Russian domains. Bleeping Computer's request for comment was not returned before the Facebook page was taken down.
NHA has three members: Benjamin, GeneralEG, and R3d HaXoR. Benjamin claimed the attacks on DomainMonster, as his name was plastered atop the defacement message.
Many security experts say that website defacements are just like "digital graffiti." Usually, these attacks happen one site at a time, but sometimes one group manages to find and exploit a serious security hole.
During the past month, multiple hacking crews have used a security flaw in the WordPress CMS to deface over 1.5 million web pages, and even escalate their access enough to install backdoors and take over servers.