Crybersecurity firm CloudSEK said that its contextual AI digital risk platform XVigil, on July 25, has discovered that a threat actor known as "UsNsA" has shared a database of PHI-IIIT Delhi on an English-speaking cybercrime forum in exchange for forum credits.
According to the report by CloudSEK, A total of 82 Databases were compromised and leaked data includes Emails, Name, Year and Internal healthcare and Vaccine development related documents, including research papers and more.
The report also said that a portion of the offered database is accessible for public consumption on the PHI Portal hosted on ERNET (Education and Research Network): ERNET is an autonomous scientific society under the Ministry of Electronics and Information Technology (MeitY) in India.
PHI: Portal for Health Informatics - is IIIT Delhi's web portal for bioinformatics, health informatics, and genomics, helping biologists in vaccine development and drug designing. It provides servers, databases, and software for scientific computation in healthcare, supporting research in life sciences.
The shared database, named webs.iiitd.edu.in.rar included: 10,842 emails in the collection with around 6,500 Unique domains and 29,000 Unique URLs in the database and internal Data files relating to ovirustdb, leukemiabd, indiabiodb, HIV, and more.
The leaked database file contains various tables, including bacvacdb, cancerdp, PHPMyadmin, dengi, and Crud. Additionally, it includes usernames such as admin, test, Vikram, mouli, osddadmin, osdduser11, and user31, which were obtained from the DotProject Contacts Table.
The threat actor exploited a SQL injection vulnerability on the PHI Portal website to gain unauthorized access and exfiltrate the database, likely employing the SQLMap tool.
SQLMap is a powerful open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications.
CloudSEK said that its researchers discovered SQL injection-affecting parameters present in the SQL logs. The leaked MySQL User table named "users" exposed sensitive information such as usernames, hashed passwords, user privileges, SSL type, and possibly other confidential data.
“The compromise of the database of Portal of Health Informatics, IIIT Delhi, underscores the critical need for continuous vigilance in the face of ever-evolving cyber threats & risks. The use of an open-source tool to gain unauthorised access and leak of the data serves as a stark reminder of the potential harm that can arise in the near future. The healthcare industry's susceptibility to exploitation due to its ease of targeting makes it even more vulnerable to attacks,” said cyber threat researcher Abhinav Pandey.
Also Read: