Vulnerable Endpoint of Indian Government Parivahan Website Exposed Source Code & 10K User Sensitive Records Including Government Officials’ IDs
On August 2, 2023, CloudSEK's XVigil AI platform found a threat actor sharing iRAD's road safety database source code, a Government of India initiative, on a cybercrime forum.
Updated on
August 12, 2023
Published on
August 12, 2023
Read MINUTES
8
Subscribe to the latest industry news, threats and resources.
Source code of Indian government website shared for free.
In a follow-up post, SQL injection was used to obtain 10K records from a vulnerable API endpoint and shared for free by the TA.
IMPACT
Sample dataset can lead to full account takeover.
Source code could give attackers to understand the website logic for well-crafted cyber attacks.
It would equip malicious actors with details required to exfiltrate data and maintain persistence.
MITIGATION
Patch vulnerable and exploitable endpoints.
Monitor cybercrime forums for the latest tactics employed by threat actors.
Analysis and Attribution
Information from the Post
On 02 August 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor (TA) sharing the source code of iRAD (Integrated Road Accident Database) - https://irad.parivahan.gov.in/- which is an initiative of the Ministry of Road Transport and Highways (MoRTH), Government of India and is funded by World Bank, with an objective to improve road safety in the country - on an underground cybercrime forum.
Source Code Analysis
Our source was able to obtain the source code, totaling 165 MB in size. Most of the code is written in PHP.
We have found several sensitive assets embedded in the code. The code contained hostnames, database names, and passwords. The usernames and passwords used in the source code were quite simple and could be prone to brute-force attacks with local access to the server.
Simple passwords to the servers
We observed that the source code includes references to sms.gov.in, a NIC SMS Gateway that enables government departments to integrate and send citizen-centric SMS to Indian nationals. Additionally, the URL embedded in the source code includes fields for username and password, which, if misused, might inadvertently grant unauthorized individuals the ability to send messages to recipients.
NIC SMS service with embedded username and password
Follow-up Post by Threat Actor
On 07 August 2023, the same threat actor made another post sharing a sample dataset of the 10K users of the website. The post also mentions that SQL injection was used to obtain the data from the vulnerable API endpoint which at the time of writing the report is still accessible.
Advertisement for 10K citizen data with sensitive data
Sample dataset
Data Analysis
As per the advertisement claims, the sample dataset contains a list of 10,000 user records with sensitive user information.
More information and context about Underground Chatter
On-Demand Research Services
Global Threat Intelligence Feed
Protect and proceed with Actionable Intelligence
The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.