India’s Cherrinet ISP leaks user data, exposes accounts to abuse attempts

Some Indian internet users should worry about their data being in the wrong hands. The Cybernews research team discovered an open 1.8TB data trove belonging to internet service provider Cherrinet.

Cherrinet is an internet service provider (ISP) in India that offers fiber optic internet services. The brand belongs to the company K Net Solutions Private Limited.

On December 6th, 2023, the Cybernews research team discovered an open Kibana dashboard belonging to the company. Kibana is a visualization and exploration dashboard for data search and analytics, helping enterprises deal with large quantities of data.

In this instance, the dataset was extensive and contained a lot of personal information about customers, including names, email addresses, phone numbers, and home addresses.

The dataset contained 3.5 billion entries and 1.8TB of data. It was left public since at least June 8th, 2021, when the first indexes appeared on Internet of Things search engines. The leaked dataset was being updated in real-time.

“While it’s not clear how many unique customers were affected by the leak, the data suggests that the number should be close to 35 thousand customers,” researchers write.

What is more worrying is that part of the leak contains credentials granting customers access to the network.

“It may be possible for an attacker to use these credentials to try to log into the network, spoofing a different user. However, it is unclear how the network would deal with such attempts, as it could disconnect the legitimate user to connect the attacker or automatically detect misuse and block any login attempts,” Cybernews researchers said.

Cybernews reached out to Cherrinet, however, we did not receive any comments at the time of writing. The company resolved the issue after responsible disclosure by the Cybernews research team.

Cherrinet leaked data

Affected users susceptible to attacks

The leaked logs comprised of these data points:

  • RADIUS (Remote Authentication Dial In User Service) traffic: This client-server protocol verifies user identity, determines if they have access to the network resources, and keeps track of data usage for billing.
  • NAS (Network Access Server) traffic: NAS is a device on the ISP’s network to which the customer router connects, and it handles authentication. Therefore, NAS logs contain information about customers and their routers.
  • PPPoE (Point to Point Protocol over Ethernet) credentials: The username and password combination establishes a secure connection with the ISP. However, the ISP sets the passwords and, therefore, they cannot be reused for credential stuffing or similar attacks.

NAS (Network Access Server) traffic: NAS is a device on the ISP’s network to which the customer router connects, and it handles authentication. Therefore, NAS logs contain information about customers and their routers.

“This leak is significant due to several factors. Malicious actors could use phones, emails, and other personally identifiable information for identity theft, spam, doxxing, or phishing attacks. PPPoE credential pairs could be used to attempt to access the network and abuse customer accounts,” Cybernews researchers warned.

Additionally, RADIUS keeps track of users’ bandwidth usage, which could provide adversaries helpful information about internet usage patterns and present them an opportunity to steal network resources from different users, resulting in Denial of Service or financial losses.

“The leaked data belongs to an ISP, not just some insignificant home network. Malicious actors could track private IP addresses provided for the users and see when they are online or not. Around 1% of the leaked IP addresses were Static Public IP addresses assigned to specific users, allowing malicious actors to tie customer PII to their IP address and use it for tracking the user’s activity,” researchers noted.

Keep your Kibana private

Any company should double-check and add safeguards to ensure that any Kibana instances are not publicly accessible.

Open Kibana instances have contributed to many leaks reported by Cybernews. They affected California-based IT company DNA Micro, Defense contractor Belcan, Automatic Number Plate Recognition (ANPR) cameras in the UK, shoemaker Ecco, and many other companies.

If Kibana instances are left exposed, an attacker can read and sometimes manipulate sensitive data.

“Restrict access to the Kibana dashboard to the personnel who specifically require access,” researchers said.

In the case of Cherrinet, the leak includes lots of technical information regarding authentication to the ISP network, which may allow malicious actors to abuse the ISP's services and cause disruptions. Any leaked credentials should be reset, and it's recommended to notify affected customers.

Cybernews advises affected users to be cautious of new incoming email communications and to be wary about opening attachments and links. If they suspect their accounts are being abused, they should contact the company.

More from Cybernews:

Entire population of Brazil possibly exposed in massive data leak

Ottawa police will return phones to suspect after 175M passcode guesses

Fuel leak on Astrobotic's moon lander leaves 'no chance' of soft landing

SEC’s X account hacked, leading to bitcoin market stir

Russian telecom targeted by Ukrainian hacktivists as payback for Kyivstar

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked