In a recent investigation, Bangladesh Cyber Security Intelligence (BCSI) identified a potential security breach involving Amber IT’s ticketing system. Following our initial post, Amber IT’s IT team commented on social media, claiming their ticketing system has been local and not online for the past years. We have since conducted a thorough re-investigation and present our updated findings and technical analysis.
Initial Incident:
Our cybersecurity researchers at BCSI discovered credentials and access details for Amber IT’s ticketing system panel being traded on a dark web forum. This prompted us to alert the public and Amber IT about the potential security risks, emphasizing the need for immediate action to safeguard sensitive data and maintain service integrity.
Amber IT’s IT team responded to our post via social media, stating:
“Amber IT’s ticketing system has been local and not online for the past years. The claims made are incorrect and seem to aim at creating unnecessary panic among our users.”
Re-Investigation and Findings
Taking Amber IT’s feedback into account, we removed the post and conducted a detailed re-investigation. Here are our findings
User Malware Infection:
Email: [email protected]
Compromised PC Information:
IP Address: 103.108.63.177
File Location: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Username: NTP_ETB_321
Location: Dhaka, Bangladesh
HWID: 87A7F3C4888527D32E4C3BCCB14FE51C
Operating System: Windows 10 Enterprise x64
Antivirus: Windows Defender
Exposed Credentials:
During our re-investigation, we discovered the following exposed credentials linked to the compromised user at Amber IT:
URL: https://www.facebook.com/
Username: [email protected]
Password: sr*****95
URL: https://secure.incometax.gov.bd/Registration/DoRegister
Username: sydurrahman12345@
Password: sy*****45
URL: http://10.50.50.94/cgi/login.php
Username: support
Password: s******rt
URL: https://mail.amberit.com.bd/
Username: [email protected]
Password: rah*****anuR
URL: https://ems.medico.com.bd/
Username: 21029001
Password: 7*****6
URL: http://cp.amberit.com.bd/bdhub/index.php/login/login
Username: homeinternet
Password: Sm*****ter@22
URL: http://abs.amberit.com.bd/auth/login.html
Username: noor
Password: Helpdesk*****3
URL: http://118.179.220.228:8082/SignIn
Username: [email protected]
Password: Sho*****23
URL: http://monitor.amberit.com.bd/index.php
Username: homesupport
Password: H0*****p0rtZbX
URL: https://billgenix.net/SignIn
Username: [email protected]
Password: Sh*****r123
Our investigation revealed that the credentials shared by the threat actor were linked to a user whose PC was compromised by malware. The malware could potentially allow a hacker to gain access to local networks, including internal systems such as the ticketing system.
Technical Analysis: Malware and Local Network Compromise
Understanding Malware Impact:
When a user’s PC is compromised by malware, it can serve as a gateway for attackers to infiltrate local networks.
Here’s how:
Tunneling: Attackers can use the compromised PC to create a tunnel, allowing them to bypass network security measures and access local network applications from outside the network. This technique enables attackers to exploit internal systems that are otherwise protected from direct external access.
Credential Theft: Malware can capture and transmit user credentials, granting attackers access to various systems and applications.
Network Spread: Malware can exploit network vulnerabilities, spreading to other devices and systems within the local network.
Data Exfiltration: Sensitive data, including internal communications and client details, can be extracted and misused by attackers.
Further Investigation: Telegram Threat Actor
During our continued investigation, another threat actor on Telegram claimed to have access to Amber IT’s network. The actor provided screenshots and SMS data of all users sent by AmberIT as evidence of their access. The threat actor claimed to possess SMS data of around 1,500,000 messages, containing numerous credentials. He also mentioned his intent to sell this data. Below are examples of the data provided by the threat actor.
Screenshots of SMS Data:
Further Investigation: Threat Actor Claims
Additionally, the threat actor claimed to have significant access to various systems within Amber IT and is willing to sell the acquired data. These claims include access to internal networks, sensitive applications, and user data. We are currently awaiting further evidence to substantiate these claims. We will continue to monitor the situation closely and post updates as more information becomes available.
Conclusion
Our investigation demonstrates that while the ticketing system may not have been directly accessible online, the malware infection on a user’s PC poses a severe risk to local network security. Additionally, evidence from a threat actor on Telegram suggests further network compromise.
In the future, we request everyone that email us with any queries rather than commenting on our page. And we have no intention of harming any business or creating panic. Our goal is to provide accurate and actionable threat intelligence to ensure the safety and security of all organizations.
“Collaboration eliminates coincidence.” – BCSI
