Hackers Leak Data of 5 South Asian Banks
Same Group That Leaked Data From QNB, InvestBank Apparently InvolvedData purportedly belonging to five South Asian banks was apparently posted online May 10 by the Turkish hacking group Bozkurtlar that recently also leaked data tied to Qatar National Bank and UAE's InvestBank.
See Also: Gartner Market Guide for DFIR Retainer Services
The latest banks whose data has been posted online include the Dutch Bangla Bank, The City Bank and Trust Bank, all based in Dhaka, Bangladesh; and two Nepalese banks, Business Universal Development Bank and Sanima Bank, both based in Kathmandu, Nepal.
Links to the file archives containing data from all the banks have been posted from a Twitter account supposedly operated by Turkish hacking group "Bozkurtlar" - or "Grey Wolves." The group appears to be making good on their threat to release data of more Asian banks - an indication that more such disclosures may be expected in the region, in the near future.
Analyzing the Data
The latest targeted banks have not replied to a request for comment from Information Security Media Group. Several security experts who have been following Bozkurtlar say that while the data in the newest leak appears genuine, the volume of data from these five banks is relatively small compared to the massive QNB and InvestBank dumps.
The file archives posted were 251 MB for Business Universal Development Bank, 47 MB for Sanima Bank, 11.2 MB for The City Bank, and 312 and 95 Kilobytes for Dutch Bangla Bank and Trust Bank, respectively.
The scope of the data varies widely. But preliminary analysis, researchers say, shows that each of the zip files contains at least some customer information or account credentials.
Security engineer and RootedCON conference organizer Omar Benbouazza tells ISMG that his analysis of the data points to a webshell upload being used at Sanima Bank and the Dutch Bangla Bank, as was the case of the Qatar National Bank. A webshell is a piece of code uploaded to a server or computer, allowing attackers to gain access, escalate privileges as admin/root and control the entire system. It can also can be used to extract the entire information stored in the system.
A primary researcher in this case, who requested anonymity, says that the data posted for each of the banks appears to be old - the latest being from The City Bank dates to August 2015. This, he says, raises a question about whether the leaks are the result of recent breaches, as claimed by Bozkurtlar, or if the group has simple aggregated data from older incidents and posted it.
In a statement shared with ISMG, InvestBank says the data tied to the bank is from a breach in December 2015. "No new hack has happened, as claimed by these attackers," InvestBank says.
Content of Latest Leaks
The researcher who asked not to be named says that while the latest postings do not seem as significant as the previous two disclosures, there are still elements that should be of concern. No credit card numbers are present in the latest data dump, unlike the QNB and InvestBank leaks, he says. Taking each of the bank's data individually, attempts have been made to verify the authenticity.
His analysis of the data reveals the following:
- Dutch Bangla Bank - Dhaka, Bangladesh: This 312 KB archive appears to contain records of customer banking transactions - either physical or internet banking. The researcher says that using admin credentials found in clear text in the dump, he was able to gain access from the public internet to the bank's ATM transaction analyzer for research purposes. The username/password appear to be very simple or default, he explains. "The website of Dutch Bangla bank appears to contain vulnerabilities and could have been the point of penetration to the internal servers or files."
Trust Bank - Dhaka, Bangladesh: The smallest archive at 96 KBs, the file contains two spreadsheets that, among other things, contain user ID, email, username and encrypted passwords. The latest file is from June 2015.
- The City Bank - Dhaka, Bangladesh: This 11.2 MB dump has a single spreadsheet, which appears to contain the personal information of at least 1 million bank customers. Details include: full name, father's name, mother name, date of birth, age, mailing address, contact number, permanent address and email. The most recent data is from August 2015.
- Sanima Bank - Kathmandu, Nepal: This 47 MB archive contains a spreadsheet with customer information that includes name, account balance with current withdrawal and deposit details for the account. The most recent data is from February 2015. The bank's website appears to have been recently upgraded to enhance security, according to a message on the site, which asks users to change their passwords. An April 21, 2015 op-ed column in the online edition of the Kathmandu Post newspaper refers to fraud having taken place at Sanima Bank, although no other mention of the fraud is available on the site.
- BUD Bank - Kathmandu, Nepal: The largest of the archives released by Bozkurtlar hackers on May 10, the 251 MB file appears to contain email communication of senior management and managers in Microsoft Outlook format. The data also contains phone-banking customer details, including phone number, username, encrypted password and customer ID. The most recent data is from January 2015.
InvestBank Denies New Hack Took Place
InvestBank stressed in a statement provided to ISMG on May 10 that no new hack has taken place this year. "This is the same set of old data [from a previous incident] that has been released again for unknown reasons," the bank says. "We have not been contacted by anyone, [and are] unable to speculate on the motives or confirm whether or not it is the same group."
InvestBank, which acknowledges that it suffered a data breach last December, says that publishing the data - and the ensuing media attention - has had a negative impact on its business. The bank declined to provide further details about the breach.
Sources at the bank tell ISMG that after the 2015 breach, the bank underwent a complete forensic analysis by federal agencies and private investigators, following which reports were submitted to the regulator and steps taken to harden security. Threat Intelligence firm iSight Partners has also published analysis that suggested that the recent leak - perpetrated by actors using the names "Bozkurt Hackers" and "AntiQNB" - appears to correlate with the 2015 InvestBank leak.
"This new claimed leak of InvestBank data seems to corroborate our previous suggestion that there may be a link between these actors and 'Hacker Buba,' who leaked data from InvestBank in ... 2015," it says in a research note.
But one researcher analyzing the May 7 data dump claims the InvestBank data does not extend beyond October 2015. The data dump appears to have been taken from a single system, possibly belonging to the database administrator at InvestBank, whose details have been found in a personal folder with the dump, the researcher says. InvestBank declined to comment on the idea.