- Threat actor with the name of Tanaka shared a post titled “bitsphere.in” on an english speaking hacking forum.
- Ayush.jharkhand.gov.in is the state website for the ministry of AYUSH for Jharkhand and gives information about Ayurveda, Yoga and Naturopathy, Unani, Siddha, and Homoeopathy type of medications.
- The database is 7.3 MB big and contains more than 3 lakh 20 thousand patient records containing their PII information and medical diagnosis.
- Moreover doctor’s PII, login information along with the username, passwords and phone numbers are also mentioned in the database.
- On investigation of the data, it was revealed that this data has been taken from the servers of ayush.jharkhand.gov.in which are developed by bitsphere.in.
- This data was attributed to ayush jharkhand’s website by correlating chatbot data and blogpost data shared by the threat actor with the publicly available data on the website.
Analysis and Attribution
Information from the Post
- On 14 August, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor Tanaka sharing a database marked as bitsphere[.]in on an english speaking hacking forum.
- Analysis of the database reveals that the following information has been leaked:
- More than 3 lakh 20 thousand patient records containing their PII information and medical diagnosis.
- 500 login credentials with multiple cleartext passwords as well.
- Contact information of 737 people who used the contact us form
- 472 records containing PII information of doctors
- Database also has the PII information of 91 Doctors along with the information about where they are posted.
Correlation between the data shared by the threat actor and the data present on ayush.jharkhand.gov.in’s website
Chatbot on the Ayush jharkhand’s website reverts the same data as mentioned in the “chatbot_ayush_reply” table in the leaked database.
Impact & Mitigation
- The leaked data could enable account takeovers.
- Commonly used passwords or weak passwords could lead to brute force attacks.
- It would equip malicious actors with details required to launch sophisticated phishing attacks.
- Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
- Patch vulnerable and exploitable endpoints.
- Do not store unencrypted secrets in .git repositories.
- Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Scan repositories to identify exposed credentials and secrets.
- Monitor cybercrime forums for the latest tactics employed by threat actors.