All Threat Intelligence posts

Indian Central Board of Higher Education Compromised by Team Mysterious Bangladesh

December 5, 2022
4
min read

 

Category:

Adversary Intelligence

 Industry:

Government

 Motivation:

Hacktivism

 Country:

India

 Source*:

D: Not usually reliable

1: Confirmed by independent Sources

Executive Summary

THREAT IMPACT
  • Hacktivist group MT Bangladesh claims to have compromised the Central Board of Higher Education (CBHE), Delhi.
  • Sensitive information such as name, Aadhar number, IFSC code, and other PII details of numerous individuals compromised.
  • The data can be exploited for conducting fraudulent scam campaigns.
  • Social Engineering & Phishing attempts against affected entities or individuals.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil, discovered a threat actor group named Team Mysterious Bangladesh who claimed to have compromised the CBHE Delhi, India. The group mentioned leaking information about students from 2004 to 2022.
  • The actor shared a snapshot of the data for a student as depicted below in the images
Snapshot shared by the hacktivist group asserting their claim
Snapshot shared by the hacktivist group asserting their claim
Snapshot shared by the hacktivist group asserting their claim
Snapshot shared by the hacktivist group asserting their claim

TTP

  • For CBHE Delhi (https://www.cbhedelhi.com/), the admin panel of the site is exposed and can be discovered with a mere google dork. This site enables any individual to see results of all students from the year 2004 to 2022 and even delete or add records.
  • Hence, the actors gained unauthorized access to the admin panel enabling them to compromise the data for CBHE Delhi India.
  • Additionally, a directory of the domain was compromised by the hacktivist as they defaced it with their names.
Mere google search revealing Admin Panels of CBHE Delhi
Mere google search revealing Admin Panels of CBHE Delhi

 

Admin panel exposed for CBHE Delhi (More images in Appendix section)
Admin panel exposed for CBHE Delhi (More images in Appendix section)

Threat Actor Activity and Rating

Threat Actor Profiling
Active since May 2021
Reputation Intermediate
Current Status Targeting Iran under #OpIran & #FreeIran2022
History
  • Known for using various scripts for DDoS attacks and exploiting the HTTP flooding attack technique, similar to DragonForce.
  • “./404found.my”, a tool previously used by Dragonforce to target Indian government websites, could have been used to conduct the attacks.
  • Additional details and analyses of the tool have been conducted in the TTP report of the DragonForce group.
Rating D1 (D: Not usually reliable; 1: Confirmed by independent Sources)

Impact & Mitigation

Impact Mitigation
  • The leaked information could be used to gain initial access to the company’s infrastructure.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Patch vulnerable and exploitable endpoints.
  • Do not store unencrypted secrets in .git repositories.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

References

Appendix

Snapshot of the message shared by the group
Snapshot of the message shared by the group

 

Snapshot of the site defaced by the actors
Snapshot of the site defaced by the actors

 

Screenshot of the site for students to see their results
Screenshot of the site for students to see their results

 

Admin panel of the site revealing data
Admin panel of the site revealing data

 

Tags:
No items found.