fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Researchers Hacked Indian Govt Sites Via Exposed Git And Env Files

Researchers Hacked Indian Govt Sites Via Exposed Git And Env Files

Researchers have now disclosed more information on how they were able to breach multiple websites of the Indian government.

Last month, researchers from the Sakura Samurai hacking group had partially disclosed that they had breached cyber systems of Indian government after finding a large number of critical vulnerabilities.

The full findings disclosed today shed light on the routes leveraged by the researchers, including finding exposed .git directories and .env files on some of these systems.

Researchers discover exposed .git and .env files

Last month, ethical hackers Jackson HenryRobert WillisAubrey CottleJohn Jackson, and Zultan Holder collaborated on finding vulnerabilities lurking in Indian government systems.

The reconnaissance efforts, according to the researchers, were in line with the government’s NCIIPC Responsible Vulnerability Disclosure Program (RVDP).

As a result of this team exercise, the researchers found some serious flaws including 35 cases of exposed credential pairs for critical applications, publicly-reachable sensitive files exposing 13,000 PII records, dozens of police reports, etc.

The researchers also found session hijacking and remote code execution (RCE) vulnerabilities on sensitive government systems that process financial information.

But, all of this information came to light when the researchers discovered exposed .git folders and .env files on one or more Indian government subdomains.

First, Henry and Holder used ethical hacking tools to identify the subdomains to target.

Further, they identified the exposed .git and .env files on these servers that had credentials to multiple applications, databases, and servers.

Also Read: What Does A Data Protection Officer Do? 5 Main Things

One of the exposed .env files seen by the researchers had database credentials

The .env file is often used by software applications and contains configuration information along with usernames, passwords for application servers and databases, such as MySQL, SMTP, PHPMailer, and WordPress.

Likewise, the .git directory contains information about a software project codebase.

Researchers used a tool called git-dumper to obtain the contents of the publicly-accessible .git directory, and could therefore obtain files with usernames and passwords. 

Further, Willis discovered a /files/ folder on a regional police department’s website with heaps of PDFs in it.

These PDFs were police reports with sensitive information with some even containing forensic data.

Publicly accessible police reports and forensic data PDFs 

Many Indian government departments breached

After persisting with their reconnaissance efforts, the researchers continued to discover even more publicly accessible files on government sites, such as SQL dumps and databases that should have remained inaccessible over the web.

Just one example below shows the nature of personally identifiable information (PII) that could be obtained by the researchers.

The table shown below contains fields like an employee’s full name, date of birth, contact information, office department, and Aadhar (national identification card) number.

The PII fields (columns) within a SQL table accessed by the researchers

By corroborating the information collected and chaining vulnerabilities together, researchers could execute session hijacking attacks, and in some cases remote code execution (RCE) against mission-critical government systems.

Also Read: The DNC Registry Singapore: 5 Things You Must Know

The list of government departments that the attackers found one or more security flaws in includes: Government of Bihar
Government of Tamil Nadu
Government of Kerala
Telangana State
Maharashtra Housing and Development Authority
Jharkhand Police Department
Punjab Agro Industries Corporation Limited
Government of India, Ministry of Women and Child Development
Government of West Bengal, West Bengal SC ST & OBC Development and Finance Corp.
Government of Delhi, Department of Power GNCTD
Government of India, Ministry of New and Renewable Energy
Government of India, Department of Administrative Reforms & Public Grievances
Government of Kerala, Office of the Commissioner for Entrance Examinations
Government of Kerala, Stationery Department
Government of Kerala, Chemical Laboratory Management System
Government of Punjab, National Health Mission
Government of Odisha, Office of the State Commissioner for Persons with Disabilities
Government of Mizoram, State Portal
Embassy of India, Bangkok, Thailand
Embassy of India, Tehran
Consulate General of India
Government of Kerala, Service and Payroll Administrative Repository
Government of West Bengal, Directorate of Pension, Provident Fund & Group Insurance
Government of India, Competition Commission of India
Government of Chennai, The Greater Chennai Corporation
Government of Goa, Captain of Ports Department
Government of Maharashtra

After the researchers reported the flaws via intermediary government bodies, such as India’s National Cyber Security Coordinator (NCSC) and CERT-IN, the flaws were eventually remediated.

On February 21, 2021, a National Cyber Security Coordinator (NCSC) official, Lt. Gen. Rajesh Pant had told Hindustan Times:

“Remedial actions have been taken by NCIIPC (National Critical Information Infrastructure Protection Centre) and Cert-IN (Indian Computer Emergency Response Team)… NCIIPC handles only the Critical Information Infrastructure issues. In this case, the balance pertained to other states and departments that were immediately informed by Cert-IN. It is likely that some action may be pending by users at state levels which we are checking.”

To prevent threat actors from exploiting these vulnerabilities, the researchers had not released the complete writeup on how exactly they had exploited the government systems, until today.

“After working with the NSCS, we have been given the green-light to disclose more specific details and all 34-pages of our reported vulnerabilities have been adequately remediated,” said researchers in their detailed report released today.

This is not the first time web servers have exposed files that should remain forbidden from the public eye.

Previously, Sakura Samurai group had breached the United Nations on finding exposed Git credential files on UN-owned domains.

The researchers could use these credentials to access over 100K UNEP employee records.

Last month, BleepingComputer had also reported on an Azure bucket leaking hundreds of passports and identity documents of prominent journalists and volleyball players from around the world.

When deploying web services, organizations should ensure that proper file permissions are configured and verify if sensitive assets can be accessed publicly.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us