Home Internet Security Researchers hacked Indian govt sites via exposed git and env files

Researchers hacked Indian govt sites via exposed git and env files


india flag

Researchers have now disclosed extra info on how they had been capable of breach a number of web sites of the Indian authorities.

Final month, researchers from the Sakura Samurai hacking group had partially disclosed that they’d breached cyber techniques of Indian authorities after discovering a lot of crucial vulnerabilities.

The complete findings disclosed right this moment make clear the routes leveraged by the researchers, together with discovering uncovered .git directories and .env information on a few of these techniques.

Researchers uncover uncovered .git and .env information

Final month, moral hackers Jackson HenryRobert WillisAubrey CottleJohn Jackson, and Zultan Holder collaborated on discovering vulnerabilities lurking in Indian authorities techniques.

The reconnaissance efforts, in line with the researchers, had been in step with the federal government’s NCIIPC Responsible Vulnerability Disclosure Program (RVDP).

Because of this crew train, the researchers discovered some critical flaws together with 35 circumstances of uncovered credential pairs for crucial purposes, a number of delicate information uncovered, over 13,000 PII information uncovered, dozens of police reviews, and session hijacking and distant code execution (RCE) vulnerabilities on delicate authorities techniques processing monetary info.

However, all of this info got here to mild when the researchers found uncovered .git folders and .env information on a number of Indian authorities subdomains.

First, Henry and Holder used moral hacking instruments to determine the subdomains to focus on.

Additional, they recognized the uncovered .git and .env information on these servers that had credentials to a number of purposes, databases, and servers.

exposed .env files
One of many uncovered .env information seen by the researchers had database credentials

The .env file is commonly utilized by software program purposes and accommodates configuration info together with usernames, passwords for utility servers and databases, reminiscent of MySQL, SMTP, PHPMailer, and WordPress.

Likewise, the .git listing accommodates details about a software program undertaking codebase.

Researchers used a device referred to as git-dumper to acquire the contents of the publicly-accessible .git listing, and will due to this fact receive information with usernames and passwords. 

Additional, Willis found a /information/ folder on a regional police division’s web site with heaps of PDFs in it.

These PDFs had been police reviews with delicate info with some even containing forensic information.

exposed police report
Publicly accessible police reviews and forensic information PDFs 

Many Indian authorities departments breached

After persisting with their reconnaissance efforts, the researchers continued to find extra even publicly accessible information on authorities websites, reminiscent of SQL dumps and databases that ought to have remained inaccessible over the net.

Only one instance beneath exhibits the character of personally identifiable info (PII) that may very well be obtained by the researchers.

The desk proven beneath accommodates fields like an worker’s full identify, date of delivery, contact info, workplace division, and Aadhar (nationwide identification card) quantity.

pii exposed
The PII fields (columns) inside a SQL desk accessed by the researchers

By corroborating the knowledge collected and chaining vulnerabilities collectively, researchers may execute session hijacking assaults, and in some circumstances distant code execution (RCE) in opposition to mission-critical authorities techniques.

The checklist of presidency departments that the attackers discovered a number of safety flaws in consists of: 

Authorities of Bihar
Authorities of Tamil Nadu
Authorities of Kerala
Telangana State
Maharashtra Housing and Growth Authority
Jharkhand Police Division
Punjab Agro Industries Company Restricted
Authorities of India, Ministry of Ladies and Baby Growth
Authorities of West Bengal, West Bengal SC ST & OBC Growth and Finance Corp.
Authorities of Delhi, Division of Energy GNCTD
Authorities of India, Ministry of New and Renewable Vitality
Authorities of India, Division of Administrative Reforms & Public Grievances
Authorities of Kerala, Workplace of the Commissioner for Entrance Examinations
Authorities of Kerala, Stationery Division
Authorities of Kerala, Chemical Laboratory Administration System
Authorities of Punjab, Nationwide Well being Mission
Authorities of Odisha, Workplace of the State Commissioner for Individuals with Disabilities
Authorities of Mizoram, State Portal
Embassy of India, Bangkok, Thailand
Embassy of India, Tehran
Consulate Common of India
Authorities of Kerala, Service and Payroll Administrative Repository
Authorities of West Bengal, Directorate of Pension, Provident Fund & Group Insurance coverage
Authorities of India, Competitors Fee of India
Authorities of Chennai, The Larger Chennai Company
Authorities of Goa, Captain of Ports Division
Authorities of Maharashtra

After the researchers reported the failings through a number of middleman authorities our bodies, reminiscent of India’s Nationwide Cyber Safety Coordinator (NCSC) and CERT-IN, the failings had been ultimately remediated.

On February 21, 2021, a Nationwide Cyber Safety Coordinator (NCSC) official, Lt. Gen. Rajesh Pant had told Hindustan Instances:

“Remedial actions have been taken by NCIIPC (Nationwide Important Data Infrastructure Safety Centre) and Cert-IN (Indian Laptop Emergency Response Staff)… NCIIPC handles solely the Important Data Infrastructure points. On this case, the stability pertained to different states and departments that had been instantly knowledgeable by Cert-IN. It’s doubtless that some motion could also be pending by customers at state ranges which we’re checking.”

To stop menace actors from exploiting these vulnerabilities, the researchers had not launched the whole writeup on how precisely they’d exploited the federal government techniques, till right this moment.

“After working with the NSCS, now we have been given the green-light to reveal extra particular particulars and all 34-pages of our reported vulnerabilities have been adequately remediated,” stated researchers of their detailed report released today.

This isn’t the primary time internet servers have uncovered information that ought to stay forbidden from the general public eye.

Beforehand, Sakura Samurai group had breached the United Nations on discovering uncovered Git credential information on a number of UN-owned domains.

The researchers may use these credentials to entry over 100K UNEP employee records.

Final month, BleepingComputer had additionally reported on an Azure bucket leaking a whole bunch of passports and identity documents of distinguished journalists and volleyball gamers from all over the world.

When deploying internet providers, organizations ought to be certain that correct file permissions are configured and confirm if delicate belongings can be accessed publicly.

Source link