Indian Critical Infrastructure Protection Center VulnerableHacking Group: Flaws That Could Lead to Breach Remain Unpatched
Critical, unpatched vulnerabilities that could enable hackers to access sensitive data have been found in India's National Critical Information Infrastructure Protection Center, according to the ethical hacking group Sakura Samurai.
The findings were issued in a report highly critical of India's NCIIPC that found the agency was not meeting its obligations to protect the private data of citizens as well as its employees.
NCIIPC is India's federal agency responsible for safeguarding the country's critical infrastructure.
"While the NCIIPC operates a responsible vulnerability disclosure program, the recklessness and avoidance of communication represent the complete opposite of a responsible program. A failure to release notification of the breach to affected citizens and to patch highly-critical vulnerabilities in a timely manner reflects poorly on the state of their Information Security posture," the Sakura Samurai report states.
The ethical hacking group notes it uncovered 35 exposed credentials in the agency's servers and applications and identified instances of file disclosure, exposed private keys and more than 13,000 exposed personally identifiable records.
The Disclosure Program
When the group chained these vulnerabilities, it was able to compromise extremely sensitive government systems and perform remote code execution on a sensitive financial server that contained large backups of financial records.
Although the NCIIPC was alerted about the vulnerabilities on Feb. 8, John Jackson, the founder of Sakura Samurai and one of the researchers who helped identify the vulnerabilities, notes that by Feb. 22, the agency has only patched one-eighth of the total vulnerabilities. Jackson says that if the agency fails to patch the vulnerabilities, there could be a massive data breach.
The NCIIPC did not respond to a request for comments.
"The vulnerabilities spanned multiple state assets, not just on the NCIIPC domains," Jackson tells Information Security Media Group. "The NCIIPC needs to reevaluate its vulnerability resolution processes, including but not limited to: establishing a defined scope; hiring more personnel with cloud security, application security, network security and software engineering and infrastructure configuration backgrounds; etc."
Other members of the group that helped identify the vulnerabilities include Jackson Henry, Zultan Holder, Robert Willis and Aubrey Cottle. In January, the group identified a vulnerability in a GitHub repository belonging to the United Nations Environment Program that exposed more than 100,000 employee records (see: Vulnerable Database Exposed UN Employees' Data).
The Sakura Samurai report also identified a vulnerability in NCIIPC's database that enabled access to sensitive police records, such as forensic reports. The researchers also say they accessed personally identifiable information about the victims.
In another case, the researchers found a vulnerability that resulted in the exposure of more than 14,000 records. The exposed data included full names, contact information, employees' departments and dates of birth. The hacking group was also able to hijack any user’s session on the NCIIPC's application after chaining together these vulnerabilities and performing recode execution.
"The application contained troves of sensitive government data and could have given a threat actor the ability to perform highly-critical, admin-based government actions," the report notes.
Targeting Federal Agencies
In recent months, Indian federal agencies have been a target of interest for hackers tied to nation-state groups.
In September 2020, security firm Seqrite Cyber Intelligence Lab uncovered a suspected Pakistani campaign that targeted India’s defense forces, including individual soldiers, with phishing emails and malware designed to steal data (see: Hackers Target India's Military).
In July, the security firm Malwarebytes found a Chinese APT campaign hitting victims in India amid ongoing border tensions between the two countries (see: China-Backed APT Group Reportedly Targets India, Hong Kong).