Two weeks on, and after repeated follow ups, the country’s nodal agency is yet to give any update on remedial actions taken and breach notification processes followed.
(Subscribe to our Today’s Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
A server containing large backups of financial records, dozens of police reports exposing victims’ data, extremely sensitive government systems, and other utmost critical information holding databases have been breached by a team of ethical hackers going by the name Sakura Samurai.
The team performed analysis on their initial findings to further spot other possible areas of weakness that led them to over 13,000 exposed Personally Identifiable Information (PII) of government employees and citizens. One of the security researchers, Robert Willis, discovered an application that can allow hackers to view the country’s Police department’s forensic reports and tooling, including other sensitive police records.
“These exposed records along with other various SQL server dumps and Rob’s [Robert] Police Record Exposure is enough to constitute a data breach without even logging into any of the servers,” noted John Jackson, lead researcher of the Sakura Samurai team.
They reported their findings to the US Department of Defense Cyber Crime Center (DC3), which initiated contact with the India’s National Critical Infrastructure Information Protection Centre (NCIIPC). Following this, the security team shared its 34-page threat report to NCIIPC on February 8.
Two weeks on, and after repeated follow ups, the country’s nodal agency is yet to give any update on remedial actions taken and breach notification processes followed despite running a responsible vulnerability disclosure programme (RVDP).
The delay in patching the weakness could deepen the risk as a lot of citizen’s data isn’t being secured properly.
“Their [citizens] information can be stolen and used on their behalf, resulting in the loss of their accounts, private information sold on the darknet, or used in further campaigns for social engineering attacks which may result in the loss of money, or other assets,” Jackson told The Hindu.
“The state [India] should be highly concerned because threat actors could be actively exfiltrating data or spying on secret government projects/operations.”
The weaknesses in the cyber defense system exposed by Sakura Samurai “needs to be patched in a month, far less if they can manage it,” Jackson added.
Usually, fixing exposed credentials and files can be a fast process, but remote code execution weaknesses may take longer to fix as the application needs to be upgraded to its latest version.
India’s cyber defense is exposed roughly two months after Russian hackers breached the US government and private entities by using a vulnerability in the network systems of SolarWinds. The December attack compromised Microsoft’s source code, allowing hackers view the code in a number of source code repositories.