Published on February 23rd, 2021 📆 | 3698 Views ⚑0
Indian Critical Infrastructure Protection Center Vulnerable
Critical Infrastructure Security
Hacking Group: Flaws That Could Lead to Breach Remain Unpatched
Akshaya Asokan (asokan_akshaya) •
February 23, 2021
India’s National Critical Information Infrastructure Protection Center remains vulnerable. (Image: ISMG)
Multiple critical, unpatched vulnerabilities that could enable hackers to access sensitive data have been found in India’s National Critical Information Infrastructure Protection Center, says the Japanese ethical hacking group Sakura Samurai.See Also: Live Webinar | The EVIL-Ution Of Ransomware In 2021-Top Protection Tips
The findings were issued in a report highly critical of India’s NCIIPC that found the agency was not meeting its obligations to protect the private data of its employees and citizens.
“While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represent the complete opposite of a responsible program. A failure to release notification of the breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture,” the report states.
Sakura Samurai notes the vulnerabilities, which were identified as part of NCIIPC’s vulnerability disclosure program, uncovered 35 exposed credentials in the agency’s servers and applications and identified instances of file disclosure, exposed private keys and more than 13,000 personally identifiable records.
NCIIPC is India’s federal agency responsible for safeguarding the country’s critical infrastructure.
The Disclosure Program
When the group chained these vulnerabilities, it was able to compromise extremely sensitive government systems and perform remote code execution on a sensitive financial server that contained large backups of financial records.
Although the NCIIPC was alerted about the vulnerabilities on Feb. 8, John Jackson, the lead hacker at Sakura Samurai, notes that by Feb. 22, the agency has only patched one-eighth of the total vulnerabilities. Jackson says that if the agency fails to patch the vulnerabilities, there could be a massive data breach.
The NCIIPC did not respond to a request for comments.
“The vulnerabilities spanned multiple state assets, not just on the NCIIPC domains,” Jackson tells Information Security Media Group. “The NCIIPC needs to reevaluate its vulnerability resolution processes, including but not limited to: establishing a defined scope; hiring more personnel with cloud security, application security, network security and software engineering and infrastructure configuration backgrounds; etc.”
Other members of the group that helped identify the vulnerabilities include Jackson Henry, Robert Willis and Aubrey Cottle. In January, the group identified a vulnerability in a GitHub repository belonging to the United Nations Environment Program that exposed more than 100,000 employee records (see: Vulnerable Database Exposed UN Employees’ Data).
The Sakura Samurai report also identified a vulnerability in NCIIPC’s database that enabled access to sensitive police records such as forensic reports. Additionally, researchers say they accessed personally identifiable information about the victims.
In another case, the researchers found a vulnerability that resulted in the exposure of more than 14,000 records. The exposed data included full names, contact information, employees’ departments and dates of birth. The hacking group was also able to hijack any user’s session on the NCIIPC’s application after chaining together these vulnerabilities and performing recode execution.
“The application contained troves of sensitive government data and could have given a threat actor the ability to perform highly-critical, admin-based government actions,” the report notes.
Targeting Federal Agencies
In recent months, Indian federal agencies have been a target of interest for hackers tied to nation-state groups.
In September 2020, security firm Seqrite Cyber Intelligence Lab uncovered a suspected Pakistani campaign that targeted India’s defense forces, including individual soldiers, with phishing emails and malware designed to steal data
(see: Hackers Target India’s Military).
In July, the security firm Malwarebytes found a Chinese APT campaign hitting victims in India amid ongoing border tensions between the two countries (see: China-Backed APT Group Reportedly Targets India, Hong Kong).
originally appeared on Source link