Researchers hacked Indian govt sites via exposed git and env files

Researchers have now disclosed more information on how they were able to breach multiple websites of the Indian government.

Last month, researchers from the Sakura Samurai hacking group had partially disclosed that they had breached cyber systems of Indian government after finding a large number of critical vulnerabilities.

The full findings disclosed today shed light on the routes leveraged by the researchers, including finding exposed .git directories and .env files on some of these systems.

Researchers discover exposed .git and .env files

Last month, ethical hackers Jackson Henry, Robert Willis, Aubrey Cottle, John Jackson, and Zultan Holder collaborated on finding vulnerabilities lurking in Indian government systems.

The reconnaissance efforts, according to the researchers, were in line with the government's NCIIPC Responsible Vulnerability Disclosure Program (RVDP).

As a result of this team exercise, the researchers found some serious flaws including 35 cases of exposed credential pairs for critical applications, publicly-reachable sensitive files exposing 13,000 PII records, dozens of police reports, etc.

The researchers also found session hijacking and remote code execution (RCE) vulnerabilities on sensitive government systems that process financial information.

But, all of this information came to light when the researchers discovered exposed .git folders and .env files on one or more Indian government subdomains.

First, Henry and Holder used ethical hacking tools to identify the subdomains to target.

Further, they identified the exposed .git and .env files on these servers that had credentials to multiple applications, databases, and servers.

The .env file is often used by software applications and contains configuration information along with usernames, passwords for application servers and databases, such as MySQL, SMTP, PHPMailer, and Wordpress.

Likewise, the .git directory contains information about a software project codebase.

Researchers used a tool called git-dumper to obtain the contents of the publicly-accessible .git directory, and could therefore obtain files with usernames and passwords. 

Further, Willis discovered a /files/ folder on a regional police department's website with heaps of PDFs in it.

These PDFs were police reports with sensitive information with some even containing forensic data.

Many Indian government departments breached

After persisting with their reconnaissance efforts, the researchers continued to discover even more publicly accessible files on government sites, such as SQL dumps and databases that should have remained inaccessible over the web.

Just one example below shows the nature of personally identifiable information (PII) that could be obtained by the researchers.

The table shown below contains fields like an employee's full name, date of birth, contact information, office department, and Aadhar (national identification card) number.

By corroborating the information collected and chaining vulnerabilities together, researchers could execute session hijacking attacks, and in some cases remote code execution (RCE) against mission-critical government systems.

The list of government departments that the attackers found one or more security flaws in includes: 

After the researchers reported the flaws via intermediary government bodies, such as India's National Cyber Security Coordinator (NCSC) and CERT-IN, the flaws were eventually remediated.

On February 21, 2021, a National Cyber Security Coordinator (NCSC) official, Lt. Gen. Rajesh Pant had told Hindustan Times:

“Remedial actions have been taken by NCIIPC (National Critical Information Infrastructure Protection Centre) and Cert-IN (Indian Computer Emergency Response Team)… NCIIPC handles only the Critical Information Infrastructure issues. In this case, the balance pertained to other states and departments that were immediately informed by Cert-IN. It is likely that some action may be pending by users at state levels which we are checking.”

To prevent threat actors from exploiting these vulnerabilities, the researchers had not released the complete writeup on how exactly they had exploited the government systems, until today.

"After working with the NSCS, we have been given the green-light to disclose more specific details and all 34-pages of our reported vulnerabilities have been adequately remediated," said researchers in their detailed report released today.

This is not the first time web servers have exposed files that should remain forbidden from the public eye.

Previously, Sakura Samurai group had breached the United Nations on finding exposed Git credential files on UN-owned domains.

The researchers could use these credentials to access over 100K UNEP employee records.

Last month, BleepingComputer had also reported on an Azure bucket leaking hundreds of passports and identity documents of prominent journalists and volleyball players from around the world.

When deploying web services, organizations should ensure that proper file permissions are configured and verify if sensitive assets can be accessed publicly.