Just a couple of days back, security research team Sakura Samurai had found some critical vulnerabilities. The scrutiny was performed through RVDP also known as Responsible Vulnerability Disclosure Program. The list is believed to be legally provided to the security researcher. One of the members Robert Willis had reported that he was able to gain access to certain police records and assets. The tests performed paved a way for various attack vectors to be identified thereby resulting in the exposure of login credentials for the databases and other pertinent applications
The group was educated regarding the underlying identification results as they kept on chipping away at the rundown of resources as dictated within the scope, while further bouncing into the research and started performing investigation on the sensitive information, recognizing extra vectors of attack, exposing Personal Identifiable Information aka PII, and many more credentials. The research team comprises of members including Jackson Henry, Robert Willis, Aubrey Cottle, and John Jackson.
The subtleties of the compromised administrations were not disclosed as a safety measure. Be that as it may, numerous government divisions are as yet making up for lost time with security efforts, especially at the state level. However, clearly, various offices have diverse threat profiles and cyber risks involved. They reported their findings to the US Department of Defense Cyber Crime Center (DC3), which initiated contact with the India’s National Critical Infrastructure Information Protection Centre (NCIIPC). Following this, the security team shared its 34-page threat report to NCIIPC. [Source]
The findings have been presented below:
|35 Separate Instances of Exposed Credential Pairs (Servers, Important Applications, etc|
|3 Instances of Sensitive File Disclosure|
|5 Exposed private-key pairs for servers|
|13K+ PII Records [and those are only the records that we were inadvertently exposed to|
|Dozens of Exposed Sensitive Police Reports|
|Session Hijacking Chained via Multiple Vulnerabilities, resulting in the compromise of extremely sensitive government systems|
|Remote Code Execution on a sensitive financial server; a server that contained large backups of Financial Records|
Governments have a commitment to ensure the private information of its workers and residents is protected. Moreover, the exposure of restrictive government information can be utilized for extraordinary methods for control and for other dangerous purposes. While the India’s National Critical Infrastructure Information Protection Centre (NCIIPC) works a Responsible Vulnerability Disclosure Program, the carelessness and evasion of correspondence addresses the direct inverse of a capable program.
An inability to provide notice of breach to affected residents and to fix exceptionally basic weaknesses in an ideal way considers ineffectively the condition of their Information Security infrastructure. The clock to fix critical vulnerabilities started promptly when the DC3 reached the NCIIPC through Twitter, as it is an exceptionally obvious space – one which danger entertainers ardently screen. The criticality of a portion of the issues can’t hang tight for weeks or months for an effective resolution and a resilient security awareness.
Article by Kaushik Sundararajan
I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of certain ideas from a different perspective.