| Category:
Adversary Intelligence |
Industry:
Government |
Country:
India |
Source*:
C3 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- 16 million user PII records compromised from India’s Swachhata Platform.
- Leaked data contains email and password combos.
|
- Leaked information can be sold as leads on cybercrime forums.
- Social Engineering & Phishing attempts against affected individuals.
|
- Patch vulnerable and exploitable endpoints.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil recently discovered a post by the threat actor LeakBase, advertising the breach of the Swachhata Platform (Swachh.city).
- The Swachhata Platform is an initiative of the Swachh Bharat Mission, in association with the Ministry of Housing and Urban Affairs of India.
- Shared data samples contain PII such as email addresses, hashed passwords, User ID, etc.
- 16 million user records have been compromised
- 6 GB compromised data is being shared via a popular file-hosting platform.
[caption id="attachment_20805" align="alignnone" width="1701"]
Threat actor’s advertisement on the cybercrime forum[/caption]
Information from the Sample
The leaked data samples provided the following information:
- Registered email addresses
- Password hashes
- Registered phone numbers
- Transmitted OTP information
- Login IP to platform
- MAC address from user’s systems
- Individual user tokens
- Browser fingerprint information
Also read Uber’s Intranet Compromised Via Social Engineering
Threat Actor Activity and Rating
| Threat Actor Profiling |
| Active since |
March 2022 |
| Names Used |
LeakBase, Chucky, Chuckies, Sqlrip, etc |
| Reputation |
High (No complaints and credible reputation) |
| Current Status |
Active |
| History |
- Previously known from providing reliable information and data breaches from companies around the world.
- Often operates for financial gain and conducts sales on their marketplace forum leakbase.cc.
- Offers access to admin panels and servers of most CMSs, allegedly gained via unauthorized means and sold for monetary profit.
|
| Rating |
C3 (C: Fairly reliable; 3: Possibly true) |
Impact and Mitigation
| Impact |
Mitigation |
- This information can be aggregated to further be sold as leads on cybercrime forums.
- This information can be harvested by threat actors to conduct the following cyber attacks:
- Phishing
- Smishing
- Social Engineering
|
- Implement a strong password policy and enable MFA across logins.
- Patch vulnerable and exploitable endpoints.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
|
Also Read Missing DMARC Records Increases the Possibility of Phishing Campaigns Against Akasa Air
References
Appendix
[caption id="attachment_20806" align="aligncenter" width="1437"]
A sample of the database, disclosed by the threat actor[/caption]
[caption id="attachment_20807" align="aligncenter" width="1699"]
Comment that was observed under the post[/caption]
