Category: Adversary Intelligence
Industry: Healthcare & Pharma
Motivation:Reputation
Region: India
Source*:
B:Usually reliable
2: Probably true
Executive Summary
CloudSEK's contextual AI digital risk platform XVigil has discovered a post on an English speaking cybercrime forum, sharing a database of PHI-IIIT Delhi for Forum credits. A total of 82 Databases were compromised and leaked data includes Emails, Name, Year and Internal healthcare & Vaccine development related documents, including research papers and more. It should be noted that a portion of the offered database is accessible for public consumption on the PHI Portal hosted on ERNET (Education and Research Network): ERNET is an autonomous scientific society under the Ministry of Electronics and Information Technology (MeitY) in India.
PHI: Portal for Health Informatics - is IIIT Delhi's web portal for bioinformatics, health informatics, and genomics, helping biologists in vaccine development and drug designing. It provides servers, databases, and software for scientific computation in healthcare, supporting research in life sciences.
Analysis and Attribution
Information from the Post
On 25 July 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor named UsNsA sharing a database of Portal for Health Informatics - IIIT-Delhi for 8 forum credits. The leaked database, comprising 82 files with a total size of approximately 1.8 GB, contains sensitive information such as username, email addresses and other internal documents.
The shared database, named webs.iiitd.edu.in.rar included:
- 10,842 emails in the collection with around 6,500 Unique domains and 29,000 Unique URLs in the database.
- Internal Data files relating to ovirustdb, leukemiabd, indiabiodb, HIV, and more.
- The leaked database file contains various tables, including bacvacdb, cancerdp, PHPMyadmin, dengi, and Crud. Additionally, it includes usernames such as admin, test, Vikram, mouli, osddadmin, osdduser11, and user31, which were obtained from the DotProject Contacts Table.
It is worth noting that the 54 databases leaked on the website are already available for public consumption through the website can be through the website as mentioned below
Information from the Post (Contd)
The actor exploited a SQL injection vulnerability on the PHI Portal website to gain unauthorized access and exfiltrate the database, likely employing the SQLMap tool.
- SQLMap is a powerful open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications.
- CloudSEK researchers discovered SQL injection-affecting parameters present in the SQL logs.
The leaked MySQL User table named "users" exposed sensitive information such as usernames, hashed passwords, user privileges, SSL type, and possibly other confidential data. Furthermore, the website displayed numerous instances of SEO Spam, as evident in the below images indicating a certain section of the website is not moderated.
Threat Actor Activity and Rating
Impact & Mitigation
Impact
- The leaked information could be used to gain initial access to the company’s infrastructure.
- If the leaked data is not encrypted, it could enable account takeovers.
- Commonly used passwords or weak passwords could lead to brute force attacks.
- It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
References
Appendix
