CloudSEK team has identified a malicious actor promoting a Telegram bot that provided access to the personal information of Indian individuals who had reportedly registered for vaccines through the Cowin Portal. The bot claimed to offer personally identifiable information (PII) data.
Updated on
June 12, 2023
Published on
June 12, 2023
Read MINUTES
6
Subscribe to the latest industry news, threats and resources.
CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a Telegram bot that offered personally identifiable information (PII) data of Indian citizens who had allegedly registered vaccines from the Cowin Portal.
Note: CloudSEK Analysis concludes that threat actors do not have access to the entire Cowin portal nor the backend database. Based on matching fields from Telegram data and previously reported incidents affecting Healthworker of a region, we assume the information was scraped through these compromised credentials. The claims need to be verified individually.
On March 13, 2022, a threat actor on a Russian cybercrime forum advertised for compromised access on the Cowin Portal of Tamil Nadu region and claimed to have compromised the Cowin database. Upon analysis, we discovered the breach was that of a health worker and not really on the infrastructure. The content displayed on the screenshot matches with the Telegram bot mentioned in the media as follows:
Name of individual
Mobile Number
Identity Proof
Identification Number
Number of Dose completed.
Furthermore, there are numerous healthcare worker credentials accessible on the dark web for the Cowin portal. However, this issue primarily stems from the inadequate endpoint security measures implemented for healthcare workers, rather than any inherent weaknesses in Cowin's infrastructure security.
URL
Username
Password
https://admin.cowin.gov.in/login
9444****44
**********
https://admin.cowin.gov.in/login
9444****44
**********
Image1: Threat Actor’s post on Telegram channels advertising about the CoWin database in 2022
Exclusive Humint Analysis revealed the data belonging to the Tamil Nadu region and the actor claimed access to this single region’s center at that moment.
Analysis and Attribution
Information from the Telegram Channel
The Covid data bot was offered by a channel called hak4learn, which frequently shared hacking tutorials, resources, and bots for individuals to access and buy. Initially, the bot was available for everyone to use, but it was later upgraded to be exclusive to subscribers.
The upgraded version of the bot provided PII data, including Aadhar card numbers, Pan card, Voter ID, gender, and the name of the vaccination center, based on the inputted phone number.
The real source of the Telegram bot is unknown, it is important to note that the bot had Version 1 offered that only displayed personal information based on Phone number. While the Version 2 claimed to be Truecaller bot that also contained personal information of the individuals.
The bot is currently down and might come up later as mentioned by the admin of the channel.
Snapshot of the Telegram Group hak4learn
The channel, established on December 11, 2021, provides a variety of Telegram bots, such as a Truecaller bot for retrieving location information based on phone numbers, an OTP bot, a UPI Recon bot, a Phishing page bot, and many others.
The advertised post contains screenshots of the admin portal revealing the PII of people who have registered for COVID-19 vaccination drives.
Threat Actor Activity and Rating
Based on an Instagram post made in 2022, an account likely associated with the threat actor offered various scripts exploiting UPI payment gateways such as SBI, PayTM, Google Pay etc.
Figure- Threat actor posting scripts to scan for different UPI systems operational in India
Threat Actor Profiling
Active since
2021
Reputation
Moderate with frequent posts to monetize from methods and data
Current Status
Active, popular
History
The actor has been sharing scripts, database, bot details, and deals in INR, indicating a non-Russian origin.
Rating
E4 (E: Unreliable, 4: Doubtfully True)
Impact & Mitigation
Impact
Mitigation
The exposed Personally Identifiable Information (PII) could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft.
Include 2FA for Cowin portal.
Monitor cybercrime forums for the latest tactics employed by threat actors.
More information and context about Underground Chatter
On-Demand Research Services
Global Threat Intelligence Feed
Protect and proceed with Actionable Intelligence
The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.