On May 12, 2021, more than 200M personally identifiable information (PII) of Indonesians was found to have been stolen and sold on RaidForums, contributing to a succession of cybercrime events. The lack of data protection standards and enforcement of security regulations is making the situation worrisome. In the recent incident, a threat actor (TA) with the alias ‘Kotz’ claimed to be in procession of the personal data of 279 million Indonesian citizens, both alive and dead, in a post on the cybercrime forum. The actor claimed that the stolen data has been sourced from the National Health Insurance Administrator (BPJS Kesehatan) and includes full names, ID card numbers, email addresses, phone numbers, dates and places of birth, and salary details. The threat actor has offered access to the updated data for 2 Bitcoins, or USD 74,906, or IDR 1 billion.
In this blog, we are sharing some of the critical developments and behind-the-scenes activities that unraveled during our analysis and investigation. The blog is intended for awareness purposes only, and by no means are we making any claims on the legitimacy of the data sets or the actor’s claims.
On June 15, 2021, we discovered a post wherein an alleged threat actor named ‘AkuCintaMamaMuda’ published a list of vulnerable Indonesian websites on RaidForums. The list includes education, local government, agriculture, law enforcement, and several regency public services websites. The list was also found hosted on a Github account belonging to the user @Zhiir.
Our analysis showcased that threat actor group, including several RaidForum Indo Cyber and DragonForce Malaysia members, have allegedly initiated mass data breaches and DDoS attacks. These campaigns have successfully taken down several websites in addition to compromising a massive data set. It was allegedly orchestrated by the same threat actor, as shown in Figure1.
Figure 1 Threat Actor reputation and posts – June 2021
We have observed an increase in the activity of TAs posting about organizations and institutions from Indonesia. Apart from the BPJS data leak, some of the other incidents include the exposure of:
- 7K records of PPDB Online, a state-owned admission portal
- 27K records of a list of vulnerable databases posted on Github
- 6M+ records of Karir.com, a recruitment and career development portal
- 80M+ records of IndoLeaked, a collective repository sourced from various darkweb forums
Here are some of our observations:
- The lists of targeted vulnerable websites were possibly sourced from GitHub code repositories.
- The TA and their handles are members of an anonymous collective group, “RaidForum Indo Cyber”.
- The TA posted video tutorials on hacking, automating exploit kits, and several other techniques for conducting mass exploitation.
Several threads in Telegram channels and cybercrime forums have indicated that the TA has actively shared the tools and techniques to conduct exploitation using an automated SQL technique.
Figure 2 shows the cyber kill chain and Tactics, Techniques, and Procedures (TTPs) used by the TA for exploiting vulnerable websites.
Figure 2 Cyber kill chain of massive amount of data leaked by the TA
Threat Actor Profile:
Our investigation indicated that the TA group and their handles regularly sold leaked data on the forum and shared it on their Telegram channel. The TAs have been active in the forum, and they have gained a positive reputation. Figure 3 shows the connections between the TAs and their handles.
Figure 3 – Connections between the TA and their handles
Figure 4 – Links shared by TAs in the Telegram channel
The Cyble Research Labs’ observations found that open-source automated tools have been used to conduct mass exploitation activities targeted at organizations. The victim organizations include government portals, public services, education, law enforcement, and online marketplaces, among others. Due to the effectiveness of these automated tools, TAs are now considering an automated approach in their tactical operations for launching effective mass exploitation attacks.
Our observations suggest that the TAs utilize an automated tool such as SQLMap and several other exploitation techniques for acquiring the complete dumps of the database from the vulnerable targets. Figure 5. shows a list of vulnerable sites posted on GitHub.
Figure 5 – List of vulnerable sites posted on GitHub
Figure 6 shows several samples of the leaked data obtained from cybercrime forums.
Figure 6- Sample Hashed Leaked Data Acquired from the Forum.
Tactic, Technique, and Procedure
SQLMap is an open-source exploitation tool to automate reconnaissance, intrusion, and exfiltration of SQL flaws during the campaign.
Figures 7 and 8 show the TTP used by the Threat Actor for the exploitation.
Figure 7 – TTP of SQL Exploitation Application
Figure 8 – TTP of Mass Exploitation
The affected data and assets exposed by the TAs include sensitive personal information, employee information, financial transaction details, National Identification numbers, and social media usernames. The potential risks of this data leak include breach of privacy, identity theft, and ensuing fraudulent activities.
Impact of such data leaks:
In several circumstances, the remediation of data breaches becomes a challenging task. For victim organizations, it often has long-term consequences such as loss of brand reputation and financial loss. For government agencies, there are even more significant consequences. The leak of sensitive information to foreign governments can hinder diplomatic relations. In contrast, the leak of sensitive information associated with critical national infrastructures like dams, electrical power grids, and military personnel can cause massive damage to a country and its citizens. Furthermore, individuals are at risk of identity theft due to exposed PII such as national IDs, emails, passwords, and banking information.
Organizations must conduct a thorough investigation in addition to applying security measures and organizing cybersecurity awareness programs.
- We recommend that internal IT security teams conduct a full investigation and perform forensic checks on enterprise networks and compromised assets.
- Businesses should conduct routine password reset exercises, enforce multi-factor authentication, and conduct cybersecurity awareness programs within their employee base.
- Conduct technical discussions and follow up with SOC team
- Apply white-listed input validation in client-servers and API communication.
- Keep web applications and software components updated with the latest security updates available from vendors, particularly libraries, plug-ins, frameworks, web server software, and database server software.
- Follow the principle of least privilege.
- Avoid assigning a shared database account across websites or applications.
- Validate user-supplied data for expected data types, including drop-down menus and radio buttons, as well as fields that allow user input.
- Usage of HTTP and SQL Query responses should be minimal.
- Use prepared statements (with parameterized queries) to ensure that an attacker cannot change the intent of a query, even if an attacker inserts SQL commands.
Appendix A – References
. OWASP SQL Injection: https://www.owasp.org/index.php/SQL_Injection
. OWASP SQL Injection: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
. OWASP SQL Injection Parameterization: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html
. MITRE ATT&CK: https://attack.mitre.org/software/S0225/
. SQLMap Project: https://github.com/sqlmapproject/sqlmap
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.