After Facebook and Mobikwik, hackers have claimed to got access to another major tech giant in India. As per two posts by hackers on a hackers’ forum, they have gained access to Tata Communications servers. In the posts, the hackers are offering backdoor entry to anyone who is willing to pay $9000 for the servers.
Access to servers sold, claimed hackers
In a March 15 post, the hackers claimed that they have got access to the servers of Tata Communications. They were offering access for $18,000 in the form of Bitcoins. The buyer would get:
- Access partners
- Access to the internal network
- Access to the webserver
- Access to DB’s
- +30 Billion billable transactions
- Access to all SMS and telecom servers
The hackers offered a discount if needed. By March 11, the hackers dropped the price substantially and asked for $9,000 in Bitcoins. However, when we tried contacting the hackers, they claimed that the access to Tata servers had been sold. On inquiring further whether the person who got access to the servers can access them remotely, the hacker said the servers are behind firewalls, and the buyer did not buy bypass from them. However, with the information they have, they can use Web Shell access to gain persistent access to the company’s databases.
What exactly is the Web Shell access?
A Web Shell is a malicious script used by threat actors with an intent to escalate and maintain continuous access to an already compromised web application or server. It has to be noted that a Web Shell cannot attack or exploit the remote vulnerabilities on its own. However, it is the second step of an attack.
In this case, the threat actors would use the vulnerabilities exiting on the Tata Communication servers, which they learnt about from the data bought from the hacker. Using the vulnerabilities, they can initiate a social engineering attack to attain file upload capabilities and transfer of malicious files or the Web Shells. Some of the common functionalities include, but not limited to, shell command execution, database enumeration, code execution and file management.
Databases worth 50 GB up for sale
According to the second post by the hackers, they are willing to sell the 50GB Database of Tata Communications. They might have gained access using the vulnerabilities they talked about in the previous post. The hackers alleged that the database contains
- Customers details: username – password (plaintext) – servers information – servers logs – phone numbers and etc.: If hackers are to be believed, this will provide the buyer access to the server credentials of Tata Communications’ customers.
- CRM and Organizational automation DB’s: Customer Relationship Management (CRM) and Organizational automation Database contains information of the sales that the company has made over time and information about its customers. Such a system helps the company to track and manage the engagement between customers and responsible teams at the company. This system is used for both existing and prospective customers. If someone gets access to this information, it can be used to get detailed information of the contracts between the company and the customer. In the wrong hands, it can potentially cause financial losses to the company.
- Employees Emails Backup: This is the most dangerous set of information that the hacker has offered in the database. Employees emails backup can provide a lot of information about the company processes, customer details, projects the company is working on, in-house trade secrets and much more. It is still unclear how much information is available to the hackers. Another point that one has to keep in mind here is that the access to the servers has already been sold. If the hackers have provided correct information, someone might have already started accessing the databases using the vulnerabilities exploited by the hackers.
- Servers access information (usernames – passwords (plaintext) – IP): The hackers claim that they are providing passwords in plaintext format. That means they have already been dehashed. In this case, if the information is correct, anyone who has access to this database will be able to access different servers and exploit the data available on the said servers.
- Admin panels information (usernames – passwords (plaintext) – URLs): Using this information, the buyer of the database can access admin panels at Tata Communications, making the trade information vulnerable to leas.
- Internal networks Maps and diagrams
- Employees Maps
The sample data
OpIndia got access to the sample of the database. There were a total of eight files and one folder in the sample data. In the folder, there were some invoices dating back to 2016-17. These invoices were issued by one of the Tata Communications business partner and telecom giant Etisalat. Both companies had signed MoU in 2013 to build multi-service regional network infrastructure in UAE.
In a file titled Tel-data-2021, details of Tata Communications clients’ network usage was found. The majority of the clients mentioned in this list were from Saudi Arabia.
Another file shared by the hacker had usernames, passwords in text format (possibly dehashed) and email addresses and other details of one of Tata Communications clients that is a Cloud Communication Platform provider. Notably, one of the users had his phone number as the password. When we reverse checked the number, it turned out to be registered to the same name, which weighs in for the authenticity of the data.
The hacker also shared a sample of SMS servers of Tata Communications. It has to be noted that the services of Tata Communications are used by several companies, including banks, institutes, government organizations and more. In this particular file, we were able to check the numbers of the users and what messages they exchanged. The messages ranged from October 2020 to March 2020. Please note that this was only a sample, and the hackers have claimed to have access to the latest data dump.
Another database potentially has information of the internal invoices.
There is still a lot of information in the sample data dump that we believe should not be shared anywhere. The screenshots included in this report are not even 0.1% of the data the hackers provided in the data sample.
Tata Communications is yet to comment
We have contacted Chief Technology Officer at Tata Telecommunications via email and waiting for their reply. Once they provide us with any information about the alleged leak/breach, we will update the story.