Malaysia-linked DragonForce hacktivists attack Indian targets

Just what we needed: a threat to rival Anonymous


A Malaysia-linked hacktivist group has attacked targets in India, seemingly in reprisal for a representative of the ruling Bharatiya Janata Party (BJP) making remarks felt to be insulting to the prophet Muhammad.

The BJP has ties to the Hindu Nationalist movement that promotes the idea India should be an exclusively Hindu nation. During a late May debate about the status of a mosque in the Indian city of Varanasi – a holy city and pilgrimage site – BJP rep Nupur Sharma made inflammatory remarks about Islam that sparked controversy and violence in India.

The threat groups have successfully filled the void left by Anonymous.

According to Indian threat intelligence vendor CloudSEK and US-based security and application delivery vendor Radware, Sharma's remarks caught the attention of a Malaysia-linked group called DragonForce that has launched attacks against Indian targets and sought assistance from others to do likewise under the banner "#OpsPatuk".

Radware's take [PDF] on DragonForce is it's "a known pro-Palestinian hacktivist group located in Malaysia and has been observed working with several threat groups in the past, including the T3 Dimension Team and ReliksCrew."

"DragonForce Malaysia is not considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated," Radware's analysts wrote. "But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members."

Those skills extend to Twitter, where DragonForce is assumed to be the entity behind the following missive that calls for others to join its attacks on India and lists targets in sectors including logistics, education, web hosting, and software:

CloudSEK concurs with Radware's analysis that DragonForce relies on widely available DDoS tools and suggests a DragonForce forum member launched DDoS attacks against the BJP website, and shared credentials that offer access to social media accounts and bank accounts.

Radware has watched DragonForce achieve multiple site defacements as part of this campaign. CloudSEK says it's seen the group target hosting providers, deploy ransomware, and conduct phishing campaigns using SMS and WhatsApp.

DragonForce's Twitter feed suggests it has enjoyed considerable success. And FWIW The Register yesterday struggled to reach Indian government websites for several hours.

This incident is more than a local skirmish. Radware rates DragonForce's forums as a source of information on how to exploit vulnerabilities such as Atlassian's critical Confluence bug.

"Over the last year, DragonForce Malaysia and its associates have launched several campaigns," Radware's researchers wrote, adding: "The threat groups, in combination, have successfully filled the void left by Anonymous while remaining independent during the resurgence of hacktivists relating to the Russian/Ukrainian war." ®

Broader topics


Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022