| Category:
Adversary Intelligence |
Industry:
Government |
Motivation:
Hacktivism |
Country:
India |
Source*:
D: Not usually reliable
1: Confirmed by independent Sources |
Executive Summary
| THREAT |
IMPACT |
- Hacktivist group MT Bangladesh claims to have compromised the Central Board of Higher Education (CBHE), Delhi.
- Sensitive information such as name, Aadhar number, IFSC code, and other PII details of numerous individuals compromised.
|
- The data can be exploited for conducting fraudulent scam campaigns.
- Social Engineering & Phishing attempts against affected entities or individuals.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil, discovered a threat actor group named Team Mysterious Bangladesh who claimed to have compromised the CBHE Delhi, India. The group mentioned leaking information about students from 2004 to 2022.
- The actor shared a snapshot of the data for a student as depicted below in the images
[caption id="attachment_21740" align="alignnone" width="759"]
Snapshot shared by the hacktivist group asserting their claim[/caption]
[caption id="attachment_21739" align="alignnone" width="789"]
Snapshot shared by the hacktivist group asserting their claim[/caption]
TTP
- For CBHE Delhi (https://www.cbhedelhi.com/), the admin panel of the site is exposed and can be discovered with a mere google dork. This site enables any individual to see results of all students from the year 2004 to 2022 and even delete or add records.
- Hence, the actors gained unauthorized access to the admin panel enabling them to compromise the data for CBHE Delhi India.
- Additionally, a directory of the domain was compromised by the hacktivist as they defaced it with their names.
[caption id="attachment_21741" align="alignnone" width="1078"]
Mere google search revealing Admin Panels of CBHE Delhi[/caption]
[caption id="attachment_21742" align="alignnone" width="1623"]
Admin panel exposed for CBHE Delhi (More images in Appendix section)[/caption]
Threat Actor Activity and Rating
| Threat Actor Profiling |
| Active since |
May 2021 |
| Reputation |
Intermediate |
| Current Status |
Targeting Iran under #OpIran & #FreeIran2022 |
| History |
- Known for using various scripts for DDoS attacks and exploiting the HTTP flooding attack technique, similar to DragonForce.
- “./404found.my”, a tool previously used by Dragonforce to target Indian government websites, could have been used to conduct the attacks.
- Additional details and analyses of the tool have been conducted in the TTP report of the DragonForce group.
|
| Rating |
D1 (D: Not usually reliable; 1: Confirmed by independent Sources) |
Impact & Mitigation
| Impact |
Mitigation |
- The leaked information could be used to gain initial access to the company’s infrastructure.
- Commonly used passwords or weak passwords could lead to brute force attacks.
- It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
|
- Patch vulnerable and exploitable endpoints.
- Do not store unencrypted secrets in .git repositories.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
|
References
Appendix
[caption id="attachment_21743" align="alignnone" width="900"]
Snapshot of the message shared by the group[/caption]
[caption id="attachment_21744" align="alignnone" width="1920"]
Snapshot of the site defaced by the actors[/caption]
[caption id="attachment_21745" align="alignnone" width="1920"]
Screenshot of the site for students to see their results[/caption]
[caption id="attachment_21746" align="alignnone" width="1814"]
Admin panel of the site revealing data[/caption]
