Volodymyr "Bob" Diachenko
Published Aug 3, 2022
If you follow my work, you probably know that we at SecurityDiscovery regularly monitor Internet for public exposures. We don't use active scanning and rely only on public sources - data streams coming from a variety of IoT search engines. This is a very important part of our routine as the job here is to highlight that no sophisticated tools or methods are required to identify a data exposure, so technically anyone with the access to the Internet can do the same.
On August 2nd, 2022, an internal report caught my attention. Our systems identified 2 (two) separate IPs with passwordless Elasticsearch clusters containing indices called "UAN". After quick review of the samples (using a simple browser), I was sure that I am looking at something big and important.
UAN stands for Universal Account Number and this is an important part of Indian government registry. UAN is allotted by Employees’ Fund Organization (EPFO).
First IP with Elasticsearch cluster contained 280,472,941 records. Second IP contained 8,390,524 records.
Each record had the following structure:
It was not immediately clear as of who is the owner of data. Both IPs were Azure-hosted and India-based. No other information was obtained though reverse DNS analysis as well. Both Shodan and Censys search engines picked them up on Aug 1st, but it is unknown for how long this information was exposed before search engines indexed them.
Given the scale and obvious senstitivity of data, I decided to tweet about it, without giving any details as of source and associated info. Within 12 hours after my tweet both IPs were taken down and now unavailable.
Recommended by LinkedIn
As of Aug 3rd, I did not hear back from any agency or company who would claim responsibility for the data found.
Let's educate ourselves!
As we see a never-ending loop of these incidents, I have decided to offer a live educational session (webinar or offline workshop) for raising cyber security awareness within your organization, to prevent potential issues in the future. I use real world examples and promote that data security is important to every employee and at every level inside the organization.
It can be an online webinar session (estimated 1h long), with Q&A session or an offline meeting in your offices, live interaction with your team (workshop included).
Proposed content includes:
- Description of tools and techniques we use to identify vulnerabilities, PII and sensitive data online: no hacking, just google-it.
- How to ensure your data / your company’s data is not exposed to the public internet, security tips from professionals
- Recommendations and best practice on main noSQL databases configurations and maintenance (MongoDB, CouchDB, Elasticsearch)
- Case studies: analyzing related data appearance online
- Live search for data and master class
Let’s educate your team!
Additional services include classic security audits (with OSINT monitoring), such as black/graybox penetration tests and vulnerability scans. Our team (based in Hamburg and Kyiv) will assess the overall network and cloud security including the network perimeter, devices residing on network segments and the Internet for potential vulnerabilities that could expose critical organizational systems and applications; customer information; organization information, and financial assets.
Please feel free to send your requests to bob(at)securitydiscovery.com.