Govt's Parivahan website likely suffered data breach

Cybersecurity firm CloudSEK has reported that the government's Parivahan website suffered a data breach, exposing its source code and sensitive data of 10,000 users.

CloudSEK claims its AI digital risk platform found a threat actor sharing the source code of Integrated Road Accident Database (iRAD), an initiative of the Ministry of Road Transport and Highways (MoRTH), on a cybercrime forum. iRAD, funded by the World Bank, aims to improve road safety in the country.

The cybersecurity firm detected the data breach on August 2. "Our source was able to obtain the source code, totaling 165 MB in size. Most of the code is written in PHP," says CloudSEK.

"We have found several sensitive assets embedded in the code. The code contained hostnames, database names, and passwords. The usernames and passwords used in the source code were quite simple and could be prone to brute-force attacks with local access to the server," it says.

"We observed that the source code includes references to sms.gov.in, a NIC SMS Gateway that enables government departments to integrate and send citizen-centric SMS to Indian nationals," the cybersecurity firm adds.

Additionally, the URL embedded in the source code includes fields for username and password, which, if misused, might inadvertently grant unauthorised individuals the ability to send messages to recipients, says CloudSEK.

On August 7, the same threat actor made another post sharing a sample dataset of the 10,000 users of the website, the cybersecurity firm notes. "The post also mentions that SQL injection was used to obtain the data from the vulnerable API endpoint which at the time of writing the report is still accessible," it says.

The sample dataset contains a list of 10,000 user records with sensitive user information, according to CloudSEK. "Our source could verify some of the mobile numbers and the names mentioned in the sample dataset against Truecaller and they matched. The sample data also contains government officials' email IDs and clear text passwords," it says.

Impact of data breach

The leaked information could be used to gain initial access to the website's infrastructure, the cybersecurity firm says. If the leaked passwords are not encrypted, it could enable account takeovers, it adds. Commonly used passwords or weak passwords could lead to brute force attacks, CloudSEK claims, adding it would equip malicious actors with the details required to exfiltrate data and maintain persistence.

The data security firm suggests implementing a strong password policy and enabling MFA (multi-factor authentication) across logins. "Patch vulnerable and exploitable endpoints. Monitor for anomalies in user accounts, which could indicate possible account takeovers. Scan repositories to identify exposed credentials and secrets," it advises.

Ransomware groups increasingly target the exfiltration of files, and the unauthorised extraction or transfer of sensitive information, which has become the primary source of extortion, according to Akamai.

As per Barracuda Networks, the number of reported attacks on municipalities, healthcare and education have doubled since last year and more than quadrupled since 2021. Researchers at Barracuda analysed 175 publicly reported successful ransomware attacks across the world between August 2022 and July 2023.