Inaccurate Reporting Regarding RBI Data Breach: CyberExpress by Cyble Erroneously Links Rural Business Incubator (RBI) to Reserve Bank of India and Issues public Advisory

CloudSEK XVigil detected a security breach impacting the Indian Rural Business Incubator. Additionally, CloudSEK noticed an advisory from CyberExpress by Cyble that incorrectly linked the data leak to the Reserve Bank of India, creating unnecessary panic. 

CloudSEK Threat Intelligence
February 19, 2024
Green Alert
Last Update posted on
February 22, 2024
Secure your organization's sensitive information from data breach.

Protect your sensitive information from unauthorized access and data breaches with CloudSEK XVigil Credential Breaches module, ensuring the security of your valuable data

Schedule a Demo
Table of Contents
Author(s)
No items found.

Misinformation spread on the internet
Archive: https://web.archive.org/web/20240219082551/https://thecyberexpress.com/rbi-data-breach/

Misinformation Clarification:

Initial Assumption:

  • Atlanta-based dark web monitoring company Cyble (CyberExpress) on February 19, 2024 has issued an advisory regarding a data breach related to the infrastructure of the Reserve Bank of India.

Correct Attribution:

  • The compromised data was misattributed to the Reserve Bank of India (RBI).
  • The leaked data originated from the Rural Business Incubator (RBI), not the Reserve Bank of India.

Executive Summary Analysis and Attribution

On February 18, 2024, CloudSEK's contextual AI digital risk platform, XVigil, detected a security breach impacting the Indian Rural Business Incubator. Additionally, CloudSEK noticed an advisory from CyberExpress by Cyble that incorrectly linked the data leak to the Reserve Bank of India, creating unnecessary panic. 

The breach, orchestrated by an individual or group using the moniker "ZALCYBER," exploited a SQL injection vulnerability in the endpoint https://ukrbi.in/new2/admin/index.php, which led to unauthorized access to the Indian Rural Business Incubator (Indian RBI) database. This incident resulted in the unauthorized retrieval of sensitive information which includes over 2000 records of applicant data and 48 records detailing stages, applications and service descriptions within the Indian Rural Business Incubator (Indian RBI) admin file.

Information from the Post

  • On 18 February 2024, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor named "ZALCYBER” claiming to have leaked data related to the Indian RBI. 

Post made by the Threat actor

Information through HUMINT

Sources providing Human Intelligence (HUMINT) to researchers at CloudSEK have conveyed crucial information contradicting the initial assumptions about the leaked data. Contrary to the incorrect attribution of the victim, the compromised data does not originate from the Reserve Bank of India, but from the Indian Rural Business Incubator (Indian RBI) marking a significant misinformation element in the reporting of information. This revelation removes a layer of complexity to the investigation and emphasizes the need for accurate clarification in subsequent communications especially in respect of Critical infrastructure and industries.

Information obtained through HUMINT

Attack Details

Compromised Endpoint:

  • URL: https://ukrbi.in/new2/admin/index.php
  • Exploited through a SQL injection technique.

Screenshot of RBI admin panel shared by the threat actor

Database Content:

  • The breached Indian RBI database (Rural Business Incubator) contained over 2000 records with various personal identifiers.
  • The RBI (Rural Business Incubator) admin file included 48 records detailing stages, applications, and service descriptions.

Attribution:

  • ZALCYBER is an active member of BreachForums since February 4, 2024.
  • Limited online activity: Spent only 1 hour and 39 minutes online.
  • Participation in six threads and posts on BreachForums.
  • No reputation points or awards earned within the community.
  • Administrative role: ZALCYBER is affiliated with a hacktivist group with a similar name.
  • ZALCYBER's historical involvement in similar SQL injections and DDoS attacks suggests a pattern of behavior aligning with the current compromise of Rural Business Incubator (RBI) data.

Misinformation Clarification

The incident has been compounded by misinformation, as the compromised data was initially represented as being from the Reserve Bank of India (RBI). It is imperative to clarify that the leaked data actually originated from the Indian Rural Business Incubator (RBI), and not the Reserve Bank of India. This misinformation underscores the significance of accurate representation of information in cybersecurity incidents, emphasizing the need for precise communication to prevent the spread of false information and potential reputational damage. The correction of this misinformation is essential in providing stakeholders and the public with an accurate understanding of the nature and scope of the security breach especially in respect of Critical infrastructure and industries. 

References

Appendix

Data leaked by threat actor

Data leaked by threat actor

Author

CloudSEK Threat Intelligence

CloudSEK's Threat Intelligence team, a group of cybersecurity experts led by Koushik Sivaraman, primarily focuses on the research and analysis of threat intelligence related to threat actors, malware, vulnerability/ exploitation, data breach incidents, etc.

Predict Cyber threats against your organization

Related Posts

Behind the Advisory: Decoding Apple’s Alert and Spyware Dilemma

Apple warns of state-sponsored mercenary spyware attacks targeting iPhones in 92 countries. The tech giant links the sophisticated, costly attacks to private spyware firms like NSO Group's Pegasus, often working for governments.

Case Study: Uncovering a Critical Vulnerability in a Life Insurance App That Compromised User Privacy Through Exposed Sensitive Data and Live Activity

This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

Blog Image
August 14, 2020

How much does a data breach cost you?

How much does a data breach cost you?

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Adversary Intelligence

5

min read

Inaccurate Reporting Regarding RBI Data Breach: CyberExpress by Cyble Erroneously Links Rural Business Incubator (RBI) to Reserve Bank of India and Issues public Advisory

CloudSEK XVigil detected a security breach impacting the Indian Rural Business Incubator. Additionally, CloudSEK noticed an advisory from CyberExpress by Cyble that incorrectly linked the data leak to the Reserve Bank of India, creating unnecessary panic. 

Authors
CloudSEK Threat Intelligence
CloudSEK's Threat Intelligence team, a group of cybersecurity experts led by Koushik Sivaraman, primarily focuses on the research and analysis of threat intelligence related to threat actors, malware, vulnerability/ exploitation, data breach incidents, etc.
Co-Authors
No items found.

Misinformation spread on the internet
Archive: https://web.archive.org/web/20240219082551/https://thecyberexpress.com/rbi-data-breach/

Misinformation Clarification:

Initial Assumption:

  • Atlanta-based dark web monitoring company Cyble (CyberExpress) on February 19, 2024 has issued an advisory regarding a data breach related to the infrastructure of the Reserve Bank of India.

Correct Attribution:

  • The compromised data was misattributed to the Reserve Bank of India (RBI).
  • The leaked data originated from the Rural Business Incubator (RBI), not the Reserve Bank of India.

Executive Summary Analysis and Attribution

On February 18, 2024, CloudSEK's contextual AI digital risk platform, XVigil, detected a security breach impacting the Indian Rural Business Incubator. Additionally, CloudSEK noticed an advisory from CyberExpress by Cyble that incorrectly linked the data leak to the Reserve Bank of India, creating unnecessary panic. 

The breach, orchestrated by an individual or group using the moniker "ZALCYBER," exploited a SQL injection vulnerability in the endpoint https://ukrbi.in/new2/admin/index.php, which led to unauthorized access to the Indian Rural Business Incubator (Indian RBI) database. This incident resulted in the unauthorized retrieval of sensitive information which includes over 2000 records of applicant data and 48 records detailing stages, applications and service descriptions within the Indian Rural Business Incubator (Indian RBI) admin file.

Information from the Post

  • On 18 February 2024, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor named "ZALCYBER” claiming to have leaked data related to the Indian RBI. 

Post made by the Threat actor

Information through HUMINT

Sources providing Human Intelligence (HUMINT) to researchers at CloudSEK have conveyed crucial information contradicting the initial assumptions about the leaked data. Contrary to the incorrect attribution of the victim, the compromised data does not originate from the Reserve Bank of India, but from the Indian Rural Business Incubator (Indian RBI) marking a significant misinformation element in the reporting of information. This revelation removes a layer of complexity to the investigation and emphasizes the need for accurate clarification in subsequent communications especially in respect of Critical infrastructure and industries.

Information obtained through HUMINT

Attack Details

Compromised Endpoint:

  • URL: https://ukrbi.in/new2/admin/index.php
  • Exploited through a SQL injection technique.

Screenshot of RBI admin panel shared by the threat actor

Database Content:

  • The breached Indian RBI database (Rural Business Incubator) contained over 2000 records with various personal identifiers.
  • The RBI (Rural Business Incubator) admin file included 48 records detailing stages, applications, and service descriptions.

Attribution:

  • ZALCYBER is an active member of BreachForums since February 4, 2024.
  • Limited online activity: Spent only 1 hour and 39 minutes online.
  • Participation in six threads and posts on BreachForums.
  • No reputation points or awards earned within the community.
  • Administrative role: ZALCYBER is affiliated with a hacktivist group with a similar name.
  • ZALCYBER's historical involvement in similar SQL injections and DDoS attacks suggests a pattern of behavior aligning with the current compromise of Rural Business Incubator (RBI) data.

Misinformation Clarification

The incident has been compounded by misinformation, as the compromised data was initially represented as being from the Reserve Bank of India (RBI). It is imperative to clarify that the leaked data actually originated from the Indian Rural Business Incubator (RBI), and not the Reserve Bank of India. This misinformation underscores the significance of accurate representation of information in cybersecurity incidents, emphasizing the need for precise communication to prevent the spread of false information and potential reputational damage. The correction of this misinformation is essential in providing stakeholders and the public with an accurate understanding of the nature and scope of the security breach especially in respect of Critical infrastructure and industries. 

References

Appendix

Data leaked by threat actor

Data leaked by threat actor