CloudSEK, a cybersecurity start-up that leverages Artificial Intelligence (AI) and Machine Learning (ML) to combat cyber threats, has given credence to media reports about a malicious actor promoting a Telegram bot that reportedly provided access to the personal information of Indian citizens who had registered for COVID-19 vaccines through the Central government portal CoWIN.
The bot claimed to offer personally identifiable information (PII) data.
Telegram is a mobile and desktop-based messaging app.
Significantly, the CloudSEK analysis team concluded that threat actors, however, do not have access to the entire CoWIN portal or the back-end database. “We currently believe that the current incident is associated with a threat actor who has access to health workers,” read the advisory intelligence issued by the start-up for the benefit of the government.
It was observed that on March 13 this year, one such threat actor on a Russian cybercrime forum had advertised for compromised access on the CoWIN Portal and shared a screenshot for the CoWIN database portal affecting Tamil Nadu region as proof. Furthermore, there are numerous healthcare worker credentials accessible on the dark web for the CoWIN portal.
However, this issue primarily stems from the inadequate endpoint security measures implemented for healthcare workers, rather than any inherent weaknesses in CoWIN’s infrastructure security, the report said.
The COVID data bot was allegedly offered by a channel, which frequently shared hacking tutorials, resources, and bots for individuals to access and buy. Initially, the bot was available for everyone to use, but it was later made the exclusive preserve of subscribers.
The upgraded version of the bot provided PII data, including Aadhaar card numbers, PAN card, Voter ID, gender, and the name of the vaccination centre, based on the input phone number.
The bot is currently down and might come up later as mentioned by the admin of the channel, said the advisory.
The exposed PII, it is feared, could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft to mitigate which CloudSEK recommended two-factor authentication, an advance identity and access management security protocol and constant monitoring of the cybercrime forums for the latest tactics employed by threat actors.