After the central government issued a statement confirming that CoWIN was “completely secure,” cyber threat analysis firm CloudSEK released its report stating that threat actors do not have access to the entire online portal or back-end database.

But the analysis by the team of researchers revealed that, according to their understanding, threat actors have access to various credentials belonging to health workers that they may have used to break into CoWIN and the data they have access to.

“Based on matching fields from Telegram data and previously reported incidents affecting a health worker in an area, we assume that information was scraped by these compromised credentials. Claims need to be verified individually,” CloudSEK said.

The team also said: “On March 13, 2022, an actor on a Russian cybercrime forum announced that a hacker had accessed a CoWIN portal in the Tamil Nadu region, and claimed to have breached the CoWIN database. Upon analysis, we discovered that the breach was of a health worker and not Actually on the infrastructure.

dark web

In addition, the team stated that there are several CoWIN healthcare worker credentials available on the dark web. However, this vulnerability mostly stems from insufficient endpoint security protections that have been deployed for healthcare personnel.

The Minister of State for Skills Development, Entrepreneurship, Electronics and Information Technology, Rajeev Chandrasekhar, stated in a tweet: “It does not appear that the Coin app or the database has been directly hacked.” So the analysis from CloudSEK may be the answer to the questions raised about the ‘indirect breach’.

Telegram bot

It was reported earlier that the personal information of several Indians, including Aadhaar details, passport, phone number, date of birth and gender, was available on the Telegram app for a brief period of time.

The bot acted as a search engine, sharing information, including the location where the vaccination was given, and whether someone’s phone number had been given to it.

CloudSEK revealed that the bot was introduced by a channel called hak4learn, which frequently shares hacking tutorials, resources, and bots for individuals to access and purchase. Apparently, the bot, which is now disabled, was initially open to all, but was later upgraded to be exclusive to subscribers.

the channel.

The report indicated while sharing a screenshot of the Telegram channel.

He also said, “The real source of the Telegram bot is unknown, it is important to note that the bot has version 1 which only shows personal information based on phone number. While version 2 claimed to be a Truecaller bot which also contains personal information of individuals.”

However, the channel, which was launched on December 11, 2021, offers a wide range of Telegram bots, including a Truecaller bot to collect location information based on phone numbers, an OTP bot, a UPI Recon bot, a phishing page bot, and many more.

The advertised post contains screenshots of the administration portal revealing PII of people who have registered for COVID-19 vaccination campaigns. Exclusive Humint analysis revealed the data belonging to Tamil Nadu district and the representative claimed to reach the center of this one district at that moment. added the report.

The team also found an active Instagram account, using the same name hak4learn. According to CloudSEK, the account is likely linked to the threat actor.


Leave a Reply

Your email address will not be published. Required fields are marked *