Security researchers say they have found thousands of critical vulnerabilities in dozens of government-run web services, more than half of which are reportedly owned by state governments. Most of the services had a number of problems, which included exposed credentials, leaking sensitive files, and the existence of certain errors. If used, these gaps could lead to deeper access to the government network, researchers say. The problems were reported by the National Center for Critical Information Infrastructure Protection (NCIIPC) earlier this month. A senior official with the National Cyber Security Coordinator (NCSC) has now said “corrective action” has been taken.
Details of the compromised services were not published as a security measure. However, many government agencies are still catching up on security measures, especially at national level. But obviously different departments have different threat profiles.
The team of researchers, named Sakura Samurai, turned to NCIIPC in early February. However, signaling issues remained unresolved for more than two weeks, as indicated in report from the Hindustan Times.
On February 20, Sakura Samurai member John Jackson posted blog a detailed description of the breach and how the US Department of Defense’s Vulnerability Detection Program (DC3 VDP) was to be involved to help the Indian Cyber Security Wing notice. The report suggests that the delay in action could have led to poor participants in accessing sensitive information and conducting destructive operations against government servers.
Critical issues found in government web services include exposed credentials that may allow unauthorized access for hackers. In addition, Jackson and his team wrote that they found 35 copies of identification pairs (which can be used to authenticate a target), three copies of sensitive files, dozens of FIR police and more than 13,000 identifiable information instances. Potential gaps have also been identified that could compromise highly sensitive government systems. The Sakura Samurai team is testing gov.in systems as part of the Responsible Vulnerability Detection Program (RVDP) managed by NCIIPC. RVDP allows developers, researchers, and security professionals to report companies and countries with potential information security risk issues.
Jackson explained on the blog: “Although the Indian government has RVDP, we were not comfortable disclosing the vulnerabilities immediately. The hacking process was far from the standard security research situation, as usual. Overall, our report combined with a massive 34-page report on vulnerabilities. We knew our intention was good, but we wanted to ensure that the US government looked at the situation. “
Sakura Samurai then coordinates with the DC3 VDP to help facilitate initial calls. On February 4, the U.S. body tweeted NCIIPC, saying, “Check your email and let’s talk.”
Hey @NCIIPC!! We have a researcher with some vulnerabilities to reveal that you may be interested. Check your email and let’s talk. ☎️ ????
– DC3 VDP (@ DC3VDP) February 4, 2021
NCSC opened a channel to communicate with Jackson and his team on Sunday. The National Cyber Security Coordinator (NCSC), Lieutenant General Rajesh Pant, told the Hindustan Times that the necessary action had been taken. “Corrective action has been taken by NCIIPC (National Center for Critical Information Infrastructure Protection) and Cert-IN (Indian Emergency Response Team) … NCIIPC only deals with critical information infrastructure issues. In this case, the balance referred to other states and agencies, which were immediately informed by CERT-In. There is likely to be some action from users at the state level that we are checking. “