Category:
Adversary Intelligence |
Industry:
Government |
Motivation:
Hacktivism |
Country:
India |
Source*:
D: Not usually reliable
1: Confirmed by independent Sources |
Executive Summary
THREAT |
IMPACT |
- Hacktivist group MT Bangladesh claims to have compromised the Central Board of Higher Education (CBHE), Delhi.
- Sensitive information such as name, Aadhar number, IFSC code, and other PII details of numerous individuals compromised.
|
- The data can be exploited for conducting fraudulent scam campaigns.
- Social Engineering & Phishing attempts against affected entities or individuals.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil, discovered a threat actor group named Team Mysterious Bangladesh who claimed to have compromised the CBHE Delhi, India. The group mentioned leaking information about students from 2004 to 2022.
- The actor shared a snapshot of the data for a student as depicted below in the images
[caption id="attachment_21740" align="alignnone" width="759"]
![Snapshot shared by the hacktivist group asserting their claim](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63cbee45781464813f0d6626_word-image-21738-2.png)
Snapshot shared by the hacktivist group asserting their claim[/caption]
[caption id="attachment_21739" align="alignnone" width="789"]
![Snapshot shared by the hacktivist group asserting their claim](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63cbee4578146412ca0d662a_word-image-21738-1.png)
Snapshot shared by the hacktivist group asserting their claim[/caption]
TTP
- For CBHE Delhi (https://www.cbhedelhi.com/), the admin panel of the site is exposed and can be discovered with a mere google dork. This site enables any individual to see results of all students from the year 2004 to 2022 and even delete or add records.
- Hence, the actors gained unauthorized access to the admin panel enabling them to compromise the data for CBHE Delhi India.
- Additionally, a directory of the domain was compromised by the hacktivist as they defaced it with their names.
[caption id="attachment_21741" align="alignnone" width="1078"]
![Mere google search revealing Admin Panels of CBHE Delhi](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63cbee4578146425480d6623_word-image-21738-3.png)
Mere google search revealing Admin Panels of CBHE Delhi[/caption]
[caption id="attachment_21742" align="alignnone" width="1623"]
![Admin panel exposed for CBHE Delhi (More images in Appendix section)](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63cbee4678146402620d662e_word-image-21738-4.png)
Admin panel exposed for CBHE Delhi (More images in Appendix section)[/caption]
Threat Actor Activity and Rating
Threat Actor Profiling |
Active since |
May 2021 |
Reputation |
Intermediate |
Current Status |
Targeting Iran under #OpIran & #FreeIran2022 |
History |
- Known for using various scripts for DDoS attacks and exploiting the HTTP flooding attack technique, similar to DragonForce.
- “./404found.my”, a tool previously used by Dragonforce to target Indian government websites, could have been used to conduct the attacks.
- Additional details and analyses of the tool have been conducted in the TTP report of the DragonForce group.
|
Rating |
D1 (D: Not usually reliable; 1: Confirmed by independent Sources) |
Impact & Mitigation
Impact |
Mitigation |
- The leaked information could be used to gain initial access to the company’s infrastructure.
- Commonly used passwords or weak passwords could lead to brute force attacks.
- It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
|
- Patch vulnerable and exploitable endpoints.
- Do not store unencrypted secrets in .git repositories.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
|
References
Appendix
[caption id="attachment_21743" align="alignnone" width="900"]
![Snapshot of the message shared by the group](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63cbee45781464e6670d6625_word-image-21738-5.jpeg)
Snapshot of the message shared by the group[/caption]
[caption id="attachment_21744" align="alignnone" width="1920"]
![Snapshot of the site defaced by the actors](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63cbee4578146400cc0d6622_word-image-21738-6.png)
Snapshot of the site defaced by the actors[/caption]
[caption id="attachment_21745" align="alignnone" width="1920"]
![Screenshot of the site for students to see their results](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63cbee45781464f1820d6629_word-image-21738-7.png)
Screenshot of the site for students to see their results[/caption]
[caption id="attachment_21746" align="alignnone" width="1814"]
![Admin panel of the site revealing data](https://cdn.prod.website-files.com/635e632477408d12d1811a64/63cbee45781464ce170d6624_word-image-21738-8.png)
Admin panel of the site revealing data[/caption]