Examining the Attack Surface of Indian States

Indian government sites contain massive amounts of sensitive data, and since they are frequently targeted by malicious hackers and hacktivists, Securin investigated their cyber hygiene by running a scan on their public-facing assets and found many potential gaps in their security. Securin ASM scanned over domains of state governments and union territories and discovered around 14K assets connected to the Internet. 

Report Methodology

The information presented in this report has been obtained by conducting scans on the public-facing assets of state governments and union territories in India. The purpose of this report is to assist these governmental entities in identifying potential vulnerabilities and addressing gaps in their security posture. This report aims to help these states and union territories improve their overall security posture and prevent crippling cyberattacks by identifying potential attack vectors and red-flagging vulnerabilities that malicious actors may exploit. We hope that the insights provided in this report will be valuable to these governmental entities in their efforts to safeguard their critical infrastructure and sensitive data from cyber threats.

Executive Summary

Introduction

As India continues to progress toward its digital goals, ensuring the security of its cyberspace becomes a paramount concern. However, cybersecurity in India poses a significant challenge, given its rapidly evolving digital landscape and the persistent threats posed by hackers and threat groups. Despite the federal government’s efforts to enhance the country’s cybersecurity infrastructure, India remains one of the most frequently targeted countries in the world.

Protecting the country’s digital assets, including government institutions, businesses, and individuals, requires a comprehensive and proactive approach to cybersecurity. In this context, understanding the attack surface of Indian states and the potential points of vulnerability in the government domains becomes crucial to mitigate the risks and safeguard the country’s digital future.

According to the Indian Computer Emergency Response Team (CERT-in), 13.91 lakh cybersecurity attacks were reported in 2022. The actual number of unreported cyberattacks is estimated to be much higher than this.

In 2022, there was a slight decrease in the number of cyber incidents reported in India. However, critical entities were still targeted and fell victim to cyberattacks. One such instance was the attack on the All India Institute of Medical Sciences (AIIMS) in New Delhi, India’s premier medical institution, where hackers encrypted 1.3 terabytes of data.

Furthermore, Indian government agencies were heavily targeted by a Malaysia-based hacktivist group, Dragon Force, in the last quarter of 2022. The group ran campaigns against the ruling party to protest against certain controversial remarks made by the ruling party’s spokesperson.

As Indian government sites contain a significant amount of sensitive data and are frequently targeted by malicious hackers and hacktivists, Securin conducted an investigation of their cyber hygiene by running a scan on their public-facing assets. The investigation revealed several potential gaps in their security. These incidents highlight the need for constant vigilance and proactive measures to safeguard critical infrastructure and sensitive data from cyber threats.

Key Findings

Securin ASM conducted a comprehensive scan of the domains of state governments and union territories, revealing that there are 14K assets connected to the internet. Our analysis indicates that more than 8% of these assets operate on the cloud. These findings underscore the growing trend of government entities migrating their services to the cloud to improve efficiency and reduce costs. However, this also highlights the need for robust cloud security measures to safeguard critical data stored on these platforms from potential cyber threats.

Lacking Basic Security Protocols: Shockingly, over 10% of the Indian state domains lack the Secure Sockets Layer (SSL) encryption, which is considered a fundamental layer of security protocol. The absence of SSL encryption renders the domain insecure, exposing visitors and collected data to potential risks. This presents a “perfect” opportunity for malicious hackers and threat groups to mount attacks easily or intercept sensitive data. Additionally, without an SSL certificate, major browsers like Google will flag these sites as “insecure,” warning users against visiting them. It is imperative that these state domains be brought under SSL encryption to ensure the safe transmission of data. Failing to secure these websites could result in severe data breaches and put citizens’ personal information at risk.

High-Risk Services:

Our scans of state domains uncovered over 2,000 high-risk services operating on these domains. Specifically, we identified 15 instances of unsecured Remote Desktop Protocol (RDP) endpoints that were improperly configured and active on the domains of seven Indian states. This type of misconfiguration poses a significant security risk, as it can provide an entry point for cybercriminals to access sensitive internal resources. Moreover, our analysis also revealed that 293 instances of SSH protocol and 67 instances of FTP were exposed to the internet in 14 and 11 state domains, respectively. These protocols are highly sensitive and should not be exposed to the internet as it increases the likelihood of a successful cyberattack. By identifying these high-risk services, our scans highlight the need for proactive measures to mitigate potential vulnerabilities and enhance the security posture of state domains.

Exposed Databases: Our scans also revealed over 20 instances of open and exposed databases across three Indian state domains. Many Indian state domains collect various types of sensitive data, including demographics; population density; socio-economic data such as literacy rates, health indicators, and poverty levels; and political data such as voting patterns and affiliations. In addition, they collect administrative data, such as tax records, property ownership, and licensing information. When such sensitive databases are left open to the internet, it offers an open invitation for hackers to mount an attack. Therefore, securing these databases with appropriate security measures is imperative to prevent any potential data breaches or attacks. Our findings underscore the need for better security practices and protocols to safeguard these critical assets.

Exposed Non-Production Systems:

We found 110 non-production systems exposed to the internet, which is a cause for concern. Non-production systems are used for staging environments, developer’s testing, User Acceptance Testing (UAT), and private IP addresses. However, these systems should never be exposed to the internet in the first place as they lack adequate security controls or hardening. Non-production systems must always be used behind a firewall since hackers and cybercriminals can access these systems easily through leaked credentials. Once they gain access, they can move laterally and access other sensitive information. This is a significant security risk and should be addressed urgently by Indian state governments and union territories to avoid potential data breaches and cyberattacks. It is essential that they take necessary measures to secure these non-production systems and protect sensitive data.

Credential Leaks: Securin ASM’s scans revealed alarming findings. More than 700 credentials with passwords from all state domains were discovered to have been leaked onto the deep and dark web. This leaves these domains highly susceptible to phishing attacks, impersonation, and credential misuse. Additionally, we identified 1.6 million IP addresses that had been compromised by botnets accessing state URLs. This opens up the possibility for attackers to infiltrate and move laterally through the systems.

Susceptibility to Ransomware Attacks: We identified 177 assets with ransomware-associated vulnerabilities and 535 instances of ransomware exposure. These domains must take immediate steps to prevent potentially catastrophic ransomware attacks.

Immediate Steps

After thoroughly analyzing the data, Securin ASM has identified urgent recommendations for state governments and union territories to mitigate the risks. These include the following:

• Add SSL certificates to domains that lack them.

• Review and close all open ports.

• Secure databases by removing access.

• Review exposed internal assets and remove access.

Conclusion & Recommendations

The investigation of Indian state domains has revealed a lack of basic cyber hygiene and a concerning absence of fundamental security protocols, making them extremely vulnerable to cyberattacks. In today’s world, even low-skilled hackers can scan public-facing devices and exploit weak entry points to steal data, disrupt critical services, or hold data for ransom. Furthermore, sophisticated hackers and threat groups can spy on government assets and sell sensitive data to the highest bidder, wreaking havoc on society.

It is essential for security teams to have a comprehensive view of their attack surface to prevent such attacks. The problem of lack of visibility is multifaceted and intricate, making it challenging to fix. This is because of the dynamic and constantly evolving nature of the attack surface, which requires continual observation and monitoring. Without the right level of visibility, governmental entities become prime targets for cyberattacks. Securin ASM can provide this window of visibility by identifying unknown assets, prioritizing high-risk exposures, and offering continuous mitigation to enhance your security posture.

How Can Securin ASM Help You?

The Securin Attack Surface Management (ASM) solution is a powerful tool for organizations seeking to enhance their cybersecurity posture. By providing a comprehensive view of the attack surface from a hacker’s perspective, Securin ASM enables customers to identify and prioritize vulnerabilities and exposures that could attract attackers and put their enterprise at risk.

Share This Post On