Tirth Parmar 🫯

@vineetJindal19 x.com/thetirthparmar…

This email from a girl student was received yesterday. While the CBSE portal shows that copies of all her answer sheets have been uploaded and provided, she has neither received them nor is she able to download one of them . This is just one example showing that the CBSE portal is still not functioning properly. I have received numerous complaints regarding the same issue from students across the country. @cbseindia29, students are continuously writing to you but are not receiving any response. Kindly look into these issues and resolve them immediately. @EduMinOfIndia

@ni5arga @cbseindia29 good morning CBSE, you said you used scanners to scan these copies, now since the copies are out to the public view, do you mind explaining which copies when scanned through a scanner, have a drop shadow? and these 3 folds? did you really use scanners?

We managed to access CBSE’s OSM storage bucket due to a basic misconfiguration it was left publicly open. #cbse #cybersecurity

@ohyeah_xdd I already did research on similar axis bank app, check this linkedin.com/posts/thetirth…

@thetirthparmar Very good write-up. We need more of these 🙂. Recently a relative's mobile got hacked after they installed SBI yono apk from WhatsApp but unfortunately I deleted the Apk and hence couldn't decompile/inspect it.

So I busted a fake RTO website yesterday (as I teased). Here's the full technical breakdown, it gets way wilder than I expected. 🧵 (1/12) #malware #cybersecurity

@ContactVVR Exactly! Indian expats in Saudi still have Indian bank accounts. So one infected phone = UPI PIN stolen (Indian savings) + Saudi bank SMS monitored (salary). Both countries’ finances compromised in one click

@thetirthparmar So they are basically scamming Indians living in Saudi Arabia with fake challan. The currency restriction to Riyal was a deadgiveaway. Thank you for your meticulous work & a detailed thread. Sad that the authorities won't bother about this either.

@teraticz_ @sidharthify

almost every single OnMark portal built by EduTek is fundamentally insecure, and CBSE is lying to you about the safety of student data. we found default passwords, URL-based RCEs, and raw MD5 hashes. millions of students are at risk. read the blog here: sidharthify.tech/blogs/blog-31-…

@paramarishi It’s fine unless you install it

@thetirthparmar What will happen if I click but do not install apk?

@0xApollyon Yes, we’ve got RCE on 2x Onmark subdomains and reported it, check this out

@thetirthparmar lmfao you have shell access ??? 🤣 who did the security for this shit bruh

It’s been 12+ hours and they still haven’t done anything lol. #OSM #cybersecurity

@0xApollyon It’s not a defacement, it’s just an “echo” command

@thetirthparmar hey tirth, i wouldnt recommend doing this. while its funny as hell and the authorities equally incompetent, by defacing stuff you are giving them an easy target to make an example out of

@krutikvirani rto-seva[.]online/parivahan/app/ ata011.b-cdn[.]net/final-2d0d6519.apk MD5: 88699d567254fa954f0394347317e1df

@thetirthparmar Dropping any IoCs/hash?

Just busted a fake RTO website + Android app distributing malware and scamming thousands of people. Did a quick analysis and the whole thing is wilder than I expected. Will be publishing a full technical breakdown and report here soon.

UPDATE: Bunny CDN just took down the malicious APK. Wasn't even 5 minutes since I reported lol The malware can no longer be downloaded. New infections = blocked. @BunnyCDN W 🐇

IOCs: - rto-seva[.]online/parivahan/app/ - ata011.b-cdn[.]net/final-2d0d6519.apk - MD5: 88699d567254fa954f0394347317e1df - fir-[REDACTED]-rtdb.firebaseio.com Reported to Google + CERT-In & Bunny CDN If you get a challan SMS with a link DO NOT click. (12/12) #AndroidMalware

C2 evolution: Phase 1 (dead): jsonserv[.]xyz → .biz → .live → jsonapi[.]biz Express.js servers behind Cloudflare. All routes return 404. Phase 2 (live): Firebase RTDB No server to maintain. Google infra. Encrypted transport. Much harder to seize. (11/12)