Researchers have now disclosed more information on how they were able to breach multiple websites of the Indian government.
Last month, researchers from the Sakura Samurai hacking group had partially disclosed that they had breached cyber systems of Indian government after finding a large number of critical vulnerabilities.
The full findings disclosed today shed light on the routes leveraged by the researchers, including finding exposed .git directories and .env files on some of these systems.
As a result of this team exercise, the researchers found some serious flaws including 35 cases of exposed credential pairs for critical applications, publicly-reachable sensitive files exposing 13,000 PII records, dozens of police reports, etc.
The researchers also found session hijacking and remote code execution (RCE) vulnerabilities on sensitive government systems that process financial information.
But, all of this information came to light when the researchers discovered exposed .git folders and .env files on one or more Indian government subdomains.
First, Henry and Holder used ethical hacking tools to identify the subdomains to target.
Further, they identified the exposed .git and .env files on these servers that had credentials to multiple applications, databases, and servers.
The .env file is often used by software applications and contains configuration information along with usernames, passwords for application servers and databases, such as MySQL, SMTP, PHPMailer, and WordPress.
Likewise, the .git directory contains information about a software project codebase.
Researchers used a tool called git-dumper to obtain the contents of the publicly-accessible .git directory, and could therefore obtain files with usernames and passwords.
Further, Willis discovered a /files/ folder on a regional police department’s website with heaps of PDFs in it.
These PDFs were police reports with sensitive information with some even containing forensic data.
Many Indian government departments breached
After persisting with their reconnaissance efforts, the researchers continued to discover even more publicly accessible files on government sites, such as SQL dumps and databases that should have remained inaccessible over the web.
Just one example below shows the nature of personally identifiable information (PII) that could be obtained by the researchers.
The table shown below contains fields like an employee’s full name, date of birth, contact information, office department, and Aadhar (national identification card) number.
By corroborating the information collected and chaining vulnerabilities together, researchers could execute session hijacking attacks, and in some cases remote code execution (RCE) against mission-critical government systems.
The list of government departments that the attackers found one or more security flaws in includes: Government of Bihar Government of Tamil Nadu Government of Kerala Telangana State Maharashtra Housing and Development Authority Jharkhand Police Department Punjab Agro Industries Corporation Limited Government of India, Ministry of Women and Child Development Government of West Bengal, West Bengal SC ST & OBC Development and Finance Corp. Government of Delhi, Department of Power GNCTD Government of India, Ministry of New and Renewable Energy Government of India, Department of Administrative Reforms & Public Grievances Government of Kerala, Office of the Commissioner for Entrance Examinations Government of Kerala, Stationery Department Government of Kerala, Chemical Laboratory Management System Government of Punjab, National Health Mission Government of Odisha, Office of the State Commissioner for Persons with Disabilities Government of Mizoram, State Portal Embassy of India, Bangkok, Thailand Embassy of India, Tehran Consulate General of India Government of Kerala, Service and Payroll Administrative Repository Government of West Bengal, Directorate of Pension, Provident Fund & Group Insurance Government of India, Competition Commission of India Government of Chennai, The Greater Chennai Corporation Government of Goa, Captain of Ports Department Government of Maharashtra
After the researchers reported the flaws via intermediary government bodies, such as India’s National Cyber Security Coordinator (NCSC) and CERT-IN, the flaws were eventually remediated.
On February 21, 2021, a National Cyber Security Coordinator (NCSC) official, Lt. Gen. Rajesh Pant had toldHindustan Times:
“Remedial actions have been taken by NCIIPC (National Critical Information Infrastructure Protection Centre) and Cert-IN (Indian Computer Emergency Response Team)… NCIIPC handles only the Critical Information Infrastructure issues. In this case, the balance pertained to other states and departments that were immediately informed by Cert-IN. It is likely that some action may be pending by users at state levels which we are checking.”
To prevent threat actors from exploiting these vulnerabilities, the researchers had not released the complete writeup on how exactly they had exploited the government systems, until today.
“After working with the NSCS, we have been given the green-light to disclose more specific details and all 34-pages of our reported vulnerabilities have been adequately remediated,” said researchers in their detailed report released today.
This is not the first time web servers have exposed files that should remain forbidden from the public eye.
Previously, Sakura Samurai group had breached the United Nations on finding exposed Git credential files on UN-owned domains.
Last month, BleepingComputer had also reported on an Azure bucket leaking hundreds of passports and identity documents of prominent journalists and volleyball players from around the world.
When deploying web services, organizations should ensure that proper file permissions are configured and verify if sensitive assets can be accessed publicly.