3,20,000+ Patient Records From Ayush Jharkhand Gov. In Shared On Dark Web Hacking Forums | Threat Intelligence | CloudSEK
3,20,000+ Patient Records From Ayush Jharkhand Gov. In Shared On Dark Web Hacking Forums
UPDATED ON
September 4, 2023
PUBLISHED ON
September 4, 2023
READ MINUTES
7
Subscribe to the latest industry news, threats and resources.
Executive Summary
Threat actor with the name of Tanaka shared a post titled “bitsphere.in” on an english speaking hacking forum.
Ayush.jharkhand.gov.in is the state website for the ministry of AYUSH for Jharkhand and gives information about Ayurveda, Yoga and Naturopathy, Unani, Siddha, and Homoeopathy type of medications.
The database is 7.3 MB big and contains more than 3 lakh 20 thousand patient records containing their PII information and medical diagnosis.
Moreover doctor’s PII, login information along with the username, passwords and phone numbers are also mentioned in the database.
On investigation of the data, it was revealed that this data has been taken from the servers of ayush.jharkhand.gov.in which are developed by bitsphere.in.
This data was attributed to ayush jharkhand’s website by correlating chatbot data and blogpost data shared by the threat actor with the publicly available data on the website.
The post mentioned a table name of the SQL data and had information about doctors in the samples.
Analysis and Attribution
Information from the Post
On 14 August, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor Tanaka sharing a database marked as bitsphere[.]in on an english speaking hacking forum.
Analysis of the database reveals that the following information has been leaked:
- More than 3 lakh 20 thousand patient records containing their PII information and medical diagnosis.
- 500 login credentials with multiple cleartext passwords as well.
- Contact information of 737 people who used the contact us form
- 472 records containing PII information of doctors
- Database also has the PII information of 91 Doctors along with the information about where they are posted.
Correlation between the data shared by the threat actor and the data present on ayush.jharkhand.gov.in’s website
The content in the “blogs” table is the same as that on ayush's website.
Chatbot on the Ayush jharkhand’s website reverts the same data as mentioned in the “chatbot_ayush_reply” table in the leaked database.
Chatbot on the Ayush jharkhand’s website reverts the same data as mentioned in the “chatbot_ayush_reply” table in the leaked database.
Impact & Mitigation
Impact
The leaked data could enable account takeovers.
Commonly used passwords or weak passwords could lead to brute force attacks.
It would equip malicious actors with details required to launch sophisticated phishing attacks.
Mitigation
Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
Patch vulnerable and exploitable endpoints.
Do not store unencrypted secrets in .git repositories.
Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
Monitor for anomalies in user accounts, which could indicate possible account takeovers.
Scan repositories to identify exposed credentials and secrets.
Monitor cybercrime forums for the latest tactics employed by threat actors.
UPDATED ON
September 4, 2023
PUBLISHED ON
September 4, 2023
READ MINUTES
7
Subscribe to the latest industry news, threats and resources.
Executive Summary
Threat actor with the name of Tanaka shared a post titled “bitsphere.in” on an english speaking hacking forum.
Ayush.jharkhand.gov.in is the state website for the ministry of AYUSH for Jharkhand and gives information about Ayurveda, Yoga and Naturopathy, Unani, Siddha, and Homoeopathy type of medications.
The database is 7.3 MB big and contains more than 3 lakh 20 thousand patient records containing their PII information and medical diagnosis.
Moreover doctor’s PII, login information along with the username, passwords and phone numbers are also mentioned in the database.
On investigation of the data, it was revealed that this data has been taken from the servers of ayush.jharkhand.gov.in which are developed by bitsphere.in.
This data was attributed to ayush jharkhand’s website by correlating chatbot data and blogpost data shared by the threat actor with the publicly available data on the website.
The post mentioned a table name of the SQL data and had information about doctors in the samples.
Analysis and Attribution
Information from the Post
On 14 August, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor Tanaka sharing a database marked as bitsphere[.]in on an english speaking hacking forum.
Analysis of the database reveals that the following information has been leaked:
- More than 3 lakh 20 thousand patient records containing their PII information and medical diagnosis.
- 500 login credentials with multiple cleartext passwords as well.
- Contact information of 737 people who used the contact us form
- 472 records containing PII information of doctors
- Database also has the PII information of 91 Doctors along with the information about where they are posted.
Correlation between the data shared by the threat actor and the data present on ayush.jharkhand.gov.in’s website
The content in the “blogs” table is the same as that on ayush's website.
Chatbot on the Ayush jharkhand’s website reverts the same data as mentioned in the “chatbot_ayush_reply” table in the leaked database.
Chatbot on the Ayush jharkhand’s website reverts the same data as mentioned in the “chatbot_ayush_reply” table in the leaked database.
Impact & Mitigation
Impact
The leaked data could enable account takeovers.
Commonly used passwords or weak passwords could lead to brute force attacks.
It would equip malicious actors with details required to launch sophisticated phishing attacks.
Mitigation
Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
Patch vulnerable and exploitable endpoints.
Do not store unencrypted secrets in .git repositories.
Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
Monitor for anomalies in user accounts, which could indicate possible account takeovers.
Scan repositories to identify exposed credentials and secrets.
Monitor cybercrime forums for the latest tactics employed by threat actors.