Category: Adversary Intelligence
Industry: Government
Motivation:Reputation
Country: India
Source*:
C: Fairly reliable;
3: Possibly True
Executive Summary
THREAT
- Source code of Indian government website shared for free.
- In a follow-up post, SQL injection was used to obtain 10K records from a vulnerable API endpoint and shared for free by the TA.
IMPACT
- Sample dataset can lead to full account takeover.
- Source code could give attackers to understand the website logic for well-crafted cyber attacks.
- It would equip malicious actors with details required to exfiltrate data and maintain persistence.
MITIGATION
- Patch vulnerable and exploitable endpoints.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
Analysis and Attribution
Information from the Post
On 02 August 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor (TA) sharing the source code of iRAD (Integrated Road Accident Database) - https://irad.parivahan.gov.in/- which is an initiative of the Ministry of Road Transport and Highways (MoRTH), Government of India and is funded by World Bank, with an objective to improve road safety in the country - on an underground cybercrime forum.
Source Code Analysis
Our source was able to obtain the source code, totaling 165 MB in size. Most of the code is written in PHP.
We have found several sensitive assets embedded in the code. The code contained hostnames, database names, and passwords. The usernames and passwords used in the source code were quite simple and could be prone to brute-force attacks with local access to the server.
We observed that the source code includes references to sms.gov.in, a NIC SMS Gateway that enables government departments to integrate and send citizen-centric SMS to Indian nationals. Additionally, the URL embedded in the source code includes fields for username and password, which, if misused, might inadvertently grant unauthorized individuals the ability to send messages to recipients.
Follow-up Post by Threat Actor
On 07 August 2023, the same threat actor made another post sharing a sample dataset of the 10K users of the website. The post also mentions that SQL injection was used to obtain the data from the vulnerable API endpoint which at the time of writing the report is still accessible.
Data Analysis
- As per the advertisement claims, the sample dataset contains a list of 10,000 user records with sensitive user information.
- The header contains id, office_id, name, email, regno, active, mobile, ps_code, remarks, password, username, createdby, dept_code, role_code, state_code, designation, created_date, old_password, password_enc, district_code, email_verified, mobile_verified.
- Our source could verify some of the mobile numbers and the names mentioned in the sample dataset against Truecaller and they matched.
- The sample data also contains government officials' email IDs and clear text passwords.
Impact & Mitigation
What is the Impact of this Data leak?
- The leaked information could be used to gain initial access to the website’s infrastructure.
- If the leaked passwords are not encrypted, it could enable account takeovers.
- Commonly used passwords or weak passwords could lead to brute force attacks.
- It would equip malicious actors with the details required to exfiltrate data, and maintain persistence.
How can you Mitigate?
- Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
- Patch vulnerable and exploitable endpoints.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Scan repositories to identify exposed credentials and secrets.
References
