An ex-Lizard Squad hacker is targeting websites belonging to the NHS by posting a range of vulnerabilities on a code depository online.
Abdilo, who claims to have been part of the hacking group until last October, wrote that they discovered a range of SQL injection flaws, admin logins, cross-site scripting bugs (XSS) and a means of revealing local files on the server.
Among the sites apparently affected are those of hospital foundation trusts, surgeries, medical centres, the National Data Catalogue in Scotland, and screening services for a number of illnesses.
If legitimate the mixture of bugs could allow a hacker to disrupt NHS websites, a vital source of information for patients, and potentially remove data from the servers on which they are hosted.
Though CBR was not able to confirm that all of the vulnerabilities existed, the XSS bugs appeared to be functioning. Some of the flaws seemingly involved the use of Microsoft Access, a database management system.
The NHS has been contacted for comment, but has yet to respond.
Since leaving Lizard Squad, Abdilo has attained some notoriety by boasting of attacks and vulnerability disclosures on a range of institutions, many of them in the educational sector in the US, Europe and Australia.
According to another message posted online, the hacker is a 16-year-old from Queensland, Australia. They claim to have started breaking into educational websites back in August, progressing later to government, police, military and insurance sites over the final months of last year.
"What most people think is when you attack .edu, .gov and .mil you get arrested instantly," they said in the message. "I decided to test that."
They added that they did not have access to the Tor Project or a virtual private network (VPN), which would allow them to conceal themselves from police, because it reduced the internet speed too severely.
The post also said they had been "doxxed" during the third week of December on internet relay chat (IRC), meaning that their identity had been revealed online.