Qatar National Bank Breached
Today some information appeared in Twitter and media about a possible data breach in the QNB. Here you will find some thoughts about the breach and the 2GB of information leaked.
According to the information shared, looks like the hack was made targeting the IP 184.108.40.206, that is was supposed to be the server connected to the mobile applications. Indeed, that IP address was hosting apps.qnb.com and apps.qnb.com.qa according to VirusTotal registry.
The bank had a big mistake, running known vulnerable software, such as Servlet 2.4, JSP and Tomcat 4.2.3.
According to the logs shared by the attacker, the breach was done by one of the most common attacks, a SQL injection to the backend ORACLE database server, using the sqlmap tool:
sqlmap identified the following injection points with a total of 9533 HTTP(s) requests
The server had 11 databases stored, but not all of them has been leaked in the information published:
[*] COMMON – Published [*] EBPB – Published [*] EXFSYS – Not Published [*] IVR – Published [*] IVRDR – Published [*] IVRTMP – Not Published [*] MWS – Published [*] RETAIL – Published [*] SYS – Not Published [*] SYSTEM – Not Published [*] WMSYS – Published
The attacker was extracting all the info, and storing it in different CSV and TXT files, sorting by folder with a thorough order.
Customer information, such as national ID numbers, passport, names and surnames, contact data, nationaly and many more privacy data was stored in the customer tables.
The attackers were able to find an upload path, for User5 and also the password:
<img src="https://i.imgur.com/MIw3W2i.png"/ width="50%" height="50%"> <img src="https://i.imgur.com/HEswDp8.png"/ width="50%" height="50%">
A known web shell, openDoc.jsp, was probably used to gain access to the host, and control it escalating privileges as User5, mainly to extract information.
Description: jsp File browser v1.2 -- This JSP program allows remote web-based file access and manipulation. You can copy, create, move and delete files. Text files can be edited and groups of files and folders can be downloaded as a single zip file that's created on the fly.
- The bank was running vulnerable software in the targeted host.
- The breach was made using SQL injection and also probably using a web shell.
- Data published is in some cases old, that is probably because the breached host is a legacy one, or maybe just a test environment using real data, something not recommended, and not aligned with bank security requirements.
- Credit cards issued in the last years, were legit and working.
- Customers data, were also legit, and in some cases “whitehats” contacted them to contrast the information.
- The attacker was performing stalking actions with some of the customers, identified them as security forces or intelligence agents, as he was able to identify and provide social networks information. Including some photos, and in some cases info about their families.
Bozkurhackers, related to the Turkish far right group “Bozkurtlar” (Grey Wolves), has claimed responsibility for the breach in the Qatar National Bank. The claim has been made uploading a video on 25th April, a day before it was publicised. The group is spreading the video via Twitter, using several fake accounts that are closed by Twitter.
This attack could be related to the Syrian conflict, where the Grey Wolves have an active participation.
<img src="https://i.imgur.com/yulBMja.png"/ width="50%" height="50%"> <img src="https://i.imgur.com/l9hVOSZ.png"/ width="50%" height="50%">