The Indian Government Breach

Cracking the Code

The team expanded their scope to infrastructure-level vulnerabilities. They found the Government of Kerala’s Local Self Government financial server running a vulnerable version of Apache Tomcat, susceptible to a Remote Code Execution (RCE) exploit.

By leveraging this exploit, the attackers executed commands remotely, gaining access to a backup folder containing archived financial records. This step demonstrated the devastating impact of unpatched software on critical government systems.

Breaching Applications

To emphasize the criticality of their findings, Sakura Samurai transitioned their focus from infrastructure to applications. Using credentials gathered earlier, they accessed the financial server’s web application. Exploiting a vulnerable JSESSIONID cookie, they authenticated as a legitimate user, gaining access to active sessions. This enabled them to view, modify, and submit transactions within the application, showcasing how attackers could manipulate financial systems.

After completing the attack, Sakura Samurai submitted a detailed 34-page report outlining vulnerabilities, assisted by the US government's disclosure program.

Lessons Learned

This breach underscores critical lessons in cybersecurity:

1. Supply Chain Security: Regular audits of software and third-party dependencies are essential to prevent the leakage of sensitive data.

2. Access Controls: Proper permissions and encryption must be enforced for sensitive files like .env and .bash_history.

3. Patch Management: Prompt updates to known vulnerabilities, such as those in Apache Tomcat, are crucial.

4. Monitoring and Response: Implement robust monitoring for early detection of intrusions.

Conclusion

The Sakura Samurai's findings highlight systemic weaknesses in cybersecurity practices among Indian government agencies. The attack underscores the importance of adopting a proactive, layered defense strategy, including secure configurations, regular patching, and robust incident response capabilities.

Overview

The Sakura Samurai, an ethical hacking group, conducted a responsible vulnerability disclosure campaign. They used various reconnaissance and exploitation techniques to expose significant flaws in the cybersecurity defenses of several Indian government organizations, revealing systemic issues in securing sensitive data and infrastructure.

Attack Pathway

1. Identifying The Scope - Sakura Samurai began by identifying their legal testing boundaries within a Responsible Vulnerability Disclosure Program (RVDP). Using tools like Chaos and SubFinder, they enumerated subdomains, forming a list of potential targets. One discovery was particularly striking: a subdomain belonging to the Satara Police Department exposed its /files/ directory. This directory housed highly sensitive police and forensic reports, underscoring the risks of misconfigured file systems.

Asset Discovery - The next step was to dive deeper into the identified scope, employing:

• Amass for asset enumeration.

• Dirsearch for finding hidden directories.

• RustScan for rapid port scanning.

• Nuclei for pinpointing vulnerabilities.

This process revealed multiple .git directories with accessible content. These repositories, often carelessly managed, became treasure troves of valuable data for the group.

Exploiting Easy Wins

With assets in hand, the group turned their attention to vulnerabilities that required minimal effort but could yield significant rewards. Their findings included:

• 10 exposed .git directories with hardcoded credentials for services such as MySQL, SMTP, and WordPress.

• 23 .env files containing API keys and database credentials from numerous government agencies.

Source GitGuardian