Ethical hackers and cybersecurity researchers disclosed more information on how multiple websites of the Indian government got hacked and breached. Just last month, researchers from the Sakura Samurai hacking group had discovered and disclosed their breach and findings via a large number of critical vulnerabilities on the cyber systems of the Indian government.
The full findings had shed light on the possible routes that can be leveraged against the Indian government; this includes exposed data, .git directories and .env files on some of their systems.
The Sakura Samurai team members who collaborated to find the vulnerabilities on Indian government systems include Jackson Henry, Aubrey Cottle, Robert Willis, Zultan Holder, and John Jackson. Their reconnaissance efforts were in line with the Indian government’s National Critical Information Infrastructure Protection Centre (NCIIPC) under the Responsible Vulnerability Disclosure Program or RVDP.
This team exercise resulted in discovering serious flaws and unintended exposures such as credential pairs of critical applications, publicly accessible sensitive data files of 13,000 PII records, police reports, sessions hijacking vulnerabilities, remote code execution flaw on a financial services server and so on.
All this discovery came to light when exposed .git and .env folders were discovered on subdomains. The exposed files contained credentials to multiple apps, database and servers on the subdomains of the Indian government.
These .env files are often used for software applications. It usually contains config info and login name and password for app servers, databases like SQL, Mailer app, SMTP, and CMS. The .git files, however, contain directory information about a software project and its codebase.
The ethical hackers used a git-dumper tool to obtain the contents of the publicly accessible .git directory and therefore accepted the files with login credentials information. Further in, a team member discovered a files folder directory of a regional police department’s website that contains a stack of PDF files. The PDFs were police reports with sensitive data, and some even include forensic analysis detail.
After the persistent reconnaissance efforts, the researcher group continues to discover more public access government files on various government websites that includes SQL dump files and databases that should not be accessible over the internet. Some of the 13,000 PII obtained by the researchers contains fields and data of a staff’s full name, date of birth, contact details, department and national identification card number.
By verifying the collected information and chaining the found vulnerabilities, the researchers hacked and executed a successful session hijacking attack and, in some tests, remote code execution against the critical Indian government systems.
After submitting the vulnerability reports via intermediary government bodies, the critical flaws were immediately remediated.
The researcher team did not release the complete write-up on how they hacked and exploited the government systems to prevent threat actors from exploiting the flaws.
This is not the first case of critical web servers having exposed sensitive files that are publicly accessible. Deploying web services requires organizations to ensure that the proper file access permissions are configured correctly and to verify that these assets can’t be accessed from the public.