Rewterz Threat Update – Saudi Arabian Ministry Exposed Sensitive Data for 15 Months

Severity

High

Analysis Summary

The Ministry of Industry and Mineral Resources (MIM) of Saudi Arabia had an environment file that exposed sensitive information for anyone to access. Researchers believe that the sensitive data had been accessible for 15 months.

An environment (env.) file is a critical system component used to covey a set of instructions to applications. These files expose sensitive data if left open for anyone to access and let threat actors have the ease to perform various malicious activities. The now-secured MIM’s env. file exposed critical information that cybercriminals could leverage for lateral movement inside the ministry’s systems and potentially doing anything from account takeover to a ransomware attack.

MIM is a government entity that looks over industry and mineral resources operations. It was founded in 2019 to diversify Saudi Arabia’s economy away from gas and oil. According to security researchers, the first time IoT search engines discovered this env. file was back in March 2022, which shows that the data was exposed publicly for about 15 months. The file is now closed and can no longer be accessed.

Threat actors can steal the leaked credentials and use them to gain access to government systems to perform ransomware attacks and attempt to encrypt critical government data, demanding a ransom and threatening to leak the information or sell it. The ministry has not published any statements regarding the incident.

The exposed env. file exposed various database credentials, data encryption keys, and mail credentials. The researchers also discovered exposed SMTP (Simple Mail Transfer Protocol) credentials, access to which allows threat actors to impersonate government workers and officials to perform social engineering attacks. This way, they can deceive victims into disclosing more sensitive information, gaining access to other systems or resources, and committing fraud. The file also provided access to the Laravel APP_Key, a configuration setting used to encrypt cookies and session data. This exposed APP_Key could allow cybercriminals to decrypt sensitive information.

Cybersecurity analysts discovered credentials for MySQL and Redis databases as well that organizations use to store, retrieve, manage data, and perform real-time analytics. Both these databases were available only on local networks, meaning that threat actors could exploit the leaked credentials especially if they already had established a foothold within the MIM’s systems.

The leaked database credentials show a huge risk of data breaches and exfiltration as the attackers can gain access to government-based systems, including personally identifiable information (PII) of citizens, financial records, classified information, and other critical government data that can be sold on the black market and used for identity theft or blackmail.

Impact

• Identity Theft
• Credential Theft
• Exposure to Sensitive Information

Remediation

• Impacted individuals need to stay vigilant about possible incidents of identity theft and fraud, and promptly report any suspicious activity to the relevant authorities.
• Change the passwords for the affected MySQL and Redis databases and email accounts immediately and revoke any compromised credentials.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.