Domino’s Breach and the Nucleus ransomware attack: More than just isolated incidents?

On 01 Jun 2021, Nucleus Software Exports announced that they had received a ransomware demand after identifying a breach on their server. Nucleus Software is an Indian IT company in the Banking and Financial Services sector, which has a number of high-profile banks and financial institutions among its clients. 

The CloudSEK Threat Intelligence Research team set out to investigate the possible initial attack vectors that could have led to the compromise. During the course of our research, we identified GitHub repositories containing sensitive documents that could have led to the attack on Nucleus Software. We also discovered that this repository had documents related to other organizations, one of which was Domino’s India (Jubilant Foods). Domino’s India also disclosed a data breach recently, after posts advertising their data cropped up across various forums.

Affected Assets and Companies

The organizations whose data is present in the GitHub repositories include:

• Jubilant Foods (Domino’s India): jublfood.com
• Nucleus Software Exports: nucleussoftware.com
• A jewellery manufacturer* 
• A Cloud Technology company*  
• A Digital Payments provider*  

The documents in the GitHub repositories had  sensitive information such as:

• Credentials to JIRA software instances
• PostgreSQL database server
• Data from JIRA such as issues, roadmaps etc.
• Confidential documents
• Other information directly affecting Nucleus Software Exports including:
  • Employees’ Personally Identifiable Information (PII)
  • Vulnerability Assessment and Penetration Testing (VAPT) report 
  • Data exported from JIRA such as issues, roadmaps, and more.
• The repository also contained AWS credentials. However, it has not been confirmed if they belong to any of the aforementioned organizations.

The Common Thread

As mentioned, it was the discovery of exposed GitHub repositories belonging to a single user that led to us recognizing that a slew of recent attacks could potentially be related. These GitHub repositories belong to an ex-employee of Padah Solutions. Padah Solutions is a Business Process Management company that provides IT consulting and services for products such as Zendesk and Atalassian (JIRA). And Padah Solutions appears to be a current or past vendor for companies that have been impacted recently.

Timeline Analysis

Impact

• Unauthorized access to Jira instances/ databases could have led to potential internal data disclosure of the concerned organization(s). This could include:
  • Employees’ names and emails
  • Employees’ roles in JIRA groups
  • Current projects and upcoming milestones mentioned in JIRA dashboards
• Sensitive information such as source code, API tokens, cryptographic keys, critical internal endpoints, configuration details, etc., mentioned in JIRA tickets, can be used to launch targeted attacks, and to compromise other critical systems.  
• Compromise of user accounts on JIRA could be abused by a threat actor to impersonate a user to deliver malware or to gain code execution privileges on other user systems.
• Given that there are public exploits for known JIRA vulnerabilities, attackers could use them to compromise the platform. 
• Password reuse is a common attack surface.

Samples of Sensitive Data Stored in the GitHub Repositories

Conclusion

The proximity of the attacks on Jubilant Foods and Nucleus Software, combined with the fact that both companies’ sensitive data was found in GitHub repositories belonging to one user, it is likely that the attacks were perpetrated by the same threat actors/ group. Given the nature of attacks carried out on Jubilant and Nucleus, the following two scenarios are possible:

• A new ransomware group called Black Cocaine has been attributed for the Nucleus Software data breach, it is possible that the group behind this ransomware is responsible for both attacks.
• A threat actor who discovered the Github repository could have exploited the obtained credentials to gain access to both the networks and further sold it to the subsequent threat actors behind the Jubilant and Nucleus attacks.

In either scenario, the threat actor could be selecting easy victims by scouring GitHub repositories and other sources for exposed credentials and other sensitive data. In light of these attacks, we recommend that all organizations monitor and secure their internet facing assets and data on a regular basis. 

*Note: The names of these companies have been withheld since they have not disclosed any attacks or breaches at the time of publication of this article.