Qatar National Bank Breached

Introduction

Today some information appeared in Twitter and media about a possible data breach in the QNB. Here you will find some thoughts about the breach and the 2GB of information leaked.

Analysis

According to the information shared, looks like the hack was made targeting the IP 213.130.121.229, that is was supposed to be the server connected to the mobile applications. Indeed, that IP address was hosting apps.qnb.com and apps.qnb.com.qa according to VirusTotal registry.

The bank had a big mistake, running known vulnerable software, such as Servlet 2.4, JSP and Tomcat 4.2.3.

According to the logs shared by the attacker, the breach was done by one of the most common attacks, a SQL injection to the backend ORACLE database server, using the sqlmap tool:

sqlmap identified the following injection points with a total of 9533 HTTP(s) requests

The server had 11 databases stored, but not all of them has been leaked in the information published:

[*] COMMON – Published
[*] EBPB – Published
[*] EXFSYS – Not Published
[*] IVR – Published
[*] IVRDR – Published
[*] IVRTMP – Not Published
[*] MWS – Published
[*] RETAIL – Published
[*] SYS – Not Published
[*] SYSTEM – Not Published
[*] WMSYS – Published

The attacker was extracting all the info, and storing it in different CSV and TXT files, sorting by folder with a thorough order.

Customer information, such as national ID numbers, passport, names and surnames, contact data, nationaly and many more privacy data was stored in the customer tables.

The attackers were able to find an upload path, for User5 and also the password:

<img src="https://i.imgur.com/MIw3W2i.png"/ width="50%" height="50%"> <img src="https://i.imgur.com/HEswDp8.png"/ width="50%" height="50%">

A known web shell, openDoc.jsp, was probably used to gain access to the host, and control it escalating privileges as User5, mainly to extract information.

Description: jsp File browser v1.2 -- This JSP program allows remote web-based file access and manipulation. You can copy, create, move and delete files. Text files can be edited and groups of files and folders can be downloaded as a single zip file that's created on the fly.

Summary:

Update 27/04/2016:

Bozkurhackers, related to the Turkish far right group “Bozkurtlar” (Grey Wolves), has claimed responsibility for the breach in the Qatar National Bank. The claim has been made uploading a video on 25th April, a day before it was publicised. The group is spreading the video via Twitter, using several fake accounts that are closed by Twitter.

This attack could be related to the Syrian conflict, where the Grey Wolves have an active participation.

<img src="https://i.imgur.com/yulBMja.png"/ width="50%" height="50%"> <img src="https://i.imgur.com/l9hVOSZ.png"/ width="50%" height="50%">

Back