Cybersecurity intelligence firm CloudSEK’s Threat Intelligence team said it discovered LeakBase’s announcement of the breach and rated it “C3,” meaning it is “fairly reliable” and “likely true.” “.
“This data can be leveraged by other threat actors to carry out large-scale cyberattacks such as phishing, smishing, social engineering, and even identity theft,” the CloudSEK research team said. to ET.
“We recommend that users affected by this leak check for unusual activity on their Swachh.city accounts and other bank and email accounts. As a precaution, they should also change their passwords and enable multi-factor authentication,” added the team.
A CloudSEK researcher told ET that India’s cybersecurity watchdog Cert-In was notified of the breach on Tuesday. The Department of Housing and Urban Affairs could not immediately be reached for comment.
Access to the server would provide the threat actor with the details needed to launch sophisticated ransomware attacks, exfiltrate data and maintain persistence, the company said. “This leaked information may be aggregated for subsequent sale as leads on cybercrime forums,” CloudSEK said in a statement.
Discover the stories that interest you
Additionally, social engineering and phishing attempts against relevant entities or individuals could also take place. “The adversary, known as LeakBase, Chucky, Chuckies and Sqlrip on underground forums, shared a database containing personally identifiable information (PII) such as email addresses, hashed passwords, a user ID, etc., which would affect 16 million users of the Swachh City platform,” the organization said.
LeakBase often operates for financial gain and makes sales on its market forum leakbase.cc. The 1.25 GB database was hosted on a popular file hosting platform, CloudSEK said.
CloudSEK researchers said that if this information falls into the wrong hands, threat actors can glean and harvest more PII from those affected.
LeakBase also offers access to the administration panels and servers of most CMS (Content Management Systems). These are acquired by unauthorized means and are sold for monetary profit.
“As individuals whose personal information such as phone numbers and email addresses are advertised for sale, there is a strong possibility that it will be used against them,” CloudSEK said.
LeakBase has been active since March and was deemed a threat actor with a “high” reputation. LeakBase has a valid history of providing reliable information and has expertise in data breaches from companies around the world, CloudSEK said. To mitigate the threat, a strong password policy and MFA (multi-factor authentication) across logins should be implemented.
Additionally, vulnerable and exploitable endpoints should be patched while anomalies in user accounts, which could indicate possible account takeovers, should be closely monitored. CloudSEK said cybercrime forums should also be monitored for the latest tactics employed by threat actors.