Hacking group Sakura Samurai has reported that it hacked Indian government databases and was able to access sensitive data and police assets. The group claims that it was able to access sensitive police records, containing personally identifiable information of individuals listed in the report- including victims.
The group has also shared an image which looks like a Crime and Criminal Tracking Network and System (CCTNS) generated FIR. The group further says that it was also able to access sample forensic reports and forensics tooling.
The group also claims to have been able to identify a Remote Code Execution (RCE) vulnerability which affects an outdated software residing on one of the government servers. The RCE allowed complete access to sensitive files on the server, including the ability to exfiltrate complete backups of financial records. The same vulnerability, along with other vulnerabilities in conjunction, allowed the group to hijack any user’s session on the web application.
The following is a complete roundup of the group’s assessment:
- 35 Separate Instances of Exposed Credential Pairs (Servers, Important Applications, etc.)
- 3 Instances of Sensitive File Disclosure
- 5 Exposed private-key pairs for servers
- 13000+ PII Records [and those are only the records that the group was inadvertently exposed to]
- Dozens of Exposed Sensitive Police Reports
- Session Hijacking Chained via Multiple Vulnerabilities, resulting in the compromise of extremely sensitive government systems
- Remote Code Execution on a sensitive financial server; a server that contained large backups of Financial Records.
The hacking group’s assessment generated a massive 34-page report full of vulnerabilities and coordinated with the U.S Department of Defence’s Vulnerability Disclosure Program (DoD-VDE) to get in touch with the Indian National Critical Information Infrastructure Protection Centre (NCIIPC). The DOD VDE tagged NCIIPC in a Twitter conversation and established contact.
Although the US DoD VDE commended the group for their research, the NCIIPC responded 5 days after the group made initial contact with it, with a basic acknowledgement and ‘thank you’ note for the research. Post this, the group contacted the agency on three occasions and asked for clarifications on patching and breach disclosure to the public.
The NCIIPC, as per the group, woke up a week later and stated that they would follow up in a short time. On 19th February, 2021, the Sakura Samurai group reviewed the vulnerabilities once again and found that one-eighth of them were resolved in the two-week period since they have established initial contact with the NCIIPC.
As has been the case more often than not, the Indian agencies have policies but they do not seem to be proactively implementing them. The NCIIPC has a ‘Responsible Vulnerability Disclosure Program’ but the response in this case is not very encouraging. The NCIIPC is yet to fix the vulnerabilities or disclose these vulnerabilities, or their patching status, in public- despite the fact that the Sakura Samurai group has gone public with its findings.
It’s about time the government starts acting up responsibly and ows up to data breaches. If it doesn’t lead by examples, it can’t expect corporates to follow suit.
You can read the group’s blog here.