The Bwssb Data Breach: How Exposed Credentials Led To Critical Access

A severe security incident at the Bangalore Water Supply and Sewerage Board (BWSSB) has led to unauthorized root-level access to their backend database. The attacker exploited exposed credentials, granting full administrative control. As a result, large volumes of sensitive operational data and Personally Identifiable Information (PII) were compromised, posing significant risks of service disruption, data manipulation, and targeted phishing campaigns.

Severity Level: High

INCIDENT OVERVIEW:

1. Threat Actor Profile:
   • The threat actor using the alias ‘pirates_gold’ has been identified as the individual responsible for advertising access to the compromised BWSSB database.
   • The pirates_gold joined BreachForums in September 2024 and has since developed a moderate presence within the community. With reputation score of 60 and has authored more than 39 posts, indicating active involvement in data trading, exploits sale and others.
   • Targeted Sectors are E-Commerce, Healthcare, Financial Services, and the Adult Industry.
   • Targeted Regions are Brazil, Indonesia, Russian Federation, Ukraine, and Australia.
   • The threat actor has previously targeted organizations including Auxxxreviews, Vision Brindes, AC Online, ISTV[.]uz, Farmacia Internacional, U-F-L[.]net, and Bank Syariah AlSalaam.
2. Attack Flow:
   • The subdomain owc.bwssb.gov.in had an exposed Adminer tool (a database management interface) accessible without authentication. This allowed the attacker to attempt a login and gain access to the database.
   • The subdomain also had an exposed .env file, which contained plaintext MySQL credentials (username and password). These credentials were valid and allowed the attacker to log in to the database.
   • Using the valid credentials from the .env file and the open Adminer interface, the attacker achieved root-level access to the underlying database, compromising sensitive data.
3. Infrastructure Sabotage and Data Manipulation:
   • With root-level access, the attacker could manipulate or delete critical data, such as payment records and grievance logs, disrupting services and undermining public trust in BWSSB’s operations.
4. Extensive Data Exposure:
   • The database contains multiple tables including
   • Payment Data, Application Data, Grievance Data, System Logs.
5. PII Compromise:
   • The data breach contains over 290,000 records of sensitive Personally Identifiable Information (PII), including full names, phone numbers, addresses, email IDs, Aadhaar numbers, and other critical applicant details.
6. Targeted Phishing and Social Engineering Campaigns: 
   • Phishing Risk: The compromised data can be leveraged to launch highly targeted phishing attacks against both citizens and employees.
   • Enhanced Credibility: The availability of detailed PII increases the authenticity of fraudulent communications, raising the chances of successful exploitation.

HOW THE BREACH HAPPENED:

1. Initial Access (February 2025): The breach began in early February 2025 when a nation-state threat actor gained initial access to Commvault’s Microsoft Azure environment. Microsoft notified Commvault of suspicious activity on February 20. The attackers exploited misconfigured cloud applications and obtained access to application credentials (client secrets) stored by Commvault for M365 integration, allowing them to impersonate legitimate service principals.
2. Exploitation of Vulnerability (CVE-2025-3928): The attackers used valid credentials to exploit CVE-2025-3928, a zero-day vulnerability in the Commvault Web Server. This flaw allowed a remote authenticated attacker to upload and execute webshells, gaining persistence and expanding their access within Commvault’s infrastructure. The vulnerability existed in multiple versions of Commvault’s software and was not known publicly at the time of the breach.
3. Lateral Movement into Customer M365 Environments: Using compromised app secrets and M365 OAuth tokens, the threat actor accessed customers’ M365 tenants via Commvault-managed service principals. They potentially escalated access using default permissions, overly privileged service principals, or misconfigured application scopes. This lateral movement allowed visibility and control over downstream customer environments.
4. Cloud Misconfigurations & Identity Exploitation: The attack campaign also took advantage of cloud identity misconfigurations, such as excessive privileges granted to service principals and absence of Conditional Access policies. Commvault-managed M365 applications with unrotated secrets and insufficient IP filtering gave the attackers a stealthy path to move laterally without triggering immediate alerts.
5. Persistence & Monitoring Evasion: The attackers were able to remain undetected for a period by operating through legitimate service credentials and staying within trusted IP ranges. No ransomware or destructive actions were deployed. However, they maintained a low-profile presence, focusing on stealthy access and exfiltration of identity data and secrets from impacted SaaS-linked resources.

Recommendations:

1. Conduct a comprehensive audit to identify and remediate the vulnerabilities or backdoors.
2. Rotate all exposed credentials, particularly those stored in the .env file, and implement secure secret management practices.
3. Secure sensitive administrative interfaces like Adminer by restricting access through IP whitelisting, VPNs, or removal from public access.
4. Implement proper authentication and least-privilege access policies for all critical endpoints.
5. Continuously monitor the infrastructure for backdoors or signs of malicious activity.
6. Regularly update and patch all systems to address newly discovered vulnerabilities.

Source:

• https://www.cloudsek.com/blog/inside-the-bwssb-incident-how-an-exposed-environment-file-enabled-the-sale-of-290k-applicant-records-and-database-root-access

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.