Indian Rail Coach Factory PII and Credentials Shared From Past Data Breaches

CloudSEK team identified a post on a cybercrime forum where a threat actor posted the database of Rail Coach Factory, Kapurthala, India for free.
Updated on
April 19, 2023
Published on
June 22, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Industry: Government Motivation: Hacktivism Region: India Source*: B2

Executive Summary

THREAT IMPACT MITIGATION
  • Credentials and PII of users of Rail Coach Factory, Kapurthala, India were shared.
  • The data shared, though dated between 2008-2010, could still put users at risk.
  • Unencrypted sensitive data of the Rail Coach Factory is available for free.
  • The sensitive information poses a large-scale risk, leading to exposure of critical government infrastructure.
  • Details of personnel in every department could be misused for corruption in Tender Applications or similar operations.
  • Monitor user accounts for suspicious transactions.
  • Encrypt the data and credentials present in the databases and server.
  • Ensure user awareness about this data leak.
CloudSEK’s contextual AI digital risk platform XVigil has identified a post on a cybercrime forum where a threat actor has posted the database of Rail Coach Factory, Kapurthala, India for free.  

Analysis and Attribution

Information from the Post

  • On 14 June 2022, a threat actor published a post, on a cybercrime forum, sharing the old database of the Rail Coach Factory, Kapurthala, India for free.
  • The actor claims that the compromised database includes users’ PII along with plain text passwords and other database names and has been made available to all.
[caption id="attachment_19639" align="alignnone" width="1708"]Threat actor’s post on cybercrime forum Threat actor’s post on cybercrime forum[/caption]  
  • The actor shared the following information and databases:
PII Shared
  • User ID
  • User Type
  • Email Address
  • Password
  • User Name
  • Mobile Number
Databases Shared
  • Civil.mdb
  • Contacts.mdb
  • Critical_Item.mdb
  • deptcd.mdb
  • log.mdb
  • news.mdb
  • nonmovItems.mdb
  • Noticedb.mdb
  • pbranch.mdb
  • Rcftenders.mdb
  • sales.mdb
  • sms.mdb
  • Tenderform.mdb
  • TendFinal.mdb
  • users.mdb

The Threat Actor

  • Previous posts of the threat actor indicate that they have been actively engaging with the members on the forum by posting accesses and databases. Some of them are sold at a cost, while others are shared for free.
  • The threat actor is a hacktivist group, involved in gray hat hacking, and has thousands of followers and collaborators across the globe.
  • The group is a coalition of more than 3 organized groups that operate from Europe and America, and they had previously targeted a few Indian entities too.

Source Rating

  • The actor, who joined the new cybercrime forum in March 2022, has a high reputation on the forum and a decent number of members on the Telegram channel.
Hence,
  • The reliability of the actor can be rated Usually reliable (B).
  • The credibility of the advertisement can be rated as Probably true (2).
  • Giving overall source credibility of B2.

Impact & Mitigation

Impact Mitigation
  • This data leak is a massive risk, leading to the exposure of critical government infrastructure.
  • Unencrypted sensitive data of the Rail Coach factory is available on cybercrime forums for free which can be used for malicious purposes.
  • PII (Personally Identifiable Information) of the employees belonging to Rail Coach Factory can be used to conduct:
    • Social engineering attacks
    • Phishing attacks
    • Identity theft
  • Monitor user accounts for suspicious transactions, which could indicate possible account takeovers.
  • Encrypt the data and credentials present in the databases and server. Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
  • Ensure user awareness about such data leaks.
  • Patch vulnerable and exploitable endpoints.
  • Real-time monitoring of cybercrime forums for data breaches.

References

Appendix

[caption id="attachment_19640" align="alignnone" width="1303"]A sample of database posted by TA A sample of database posted by TA[/caption]   [caption id="attachment_19641" align="aligncenter" width="1599"]The leaked files The leaked files[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations