David Sennaike an Information Security Architect stumbled on online advert on the ‘dark web’ and found an account auctioning breached data of 90 per cent of Nigerian banks and their customers.
Sennaike has been on the information security space for 12 years but on one of his regular expeditions on the dark web, David came across a post in January stating they were auctioning the private data of a Nigerian fintech, access to servers, username and password, Application Programming Interface (API) keys, and private customer data.
The expert revealed the information on his Linkedin profile.
The affected financial institutions cut across Deposit Money Banks, Marchant Banks, Micro Finance Banks and fintech.
The dark web is the World Wide Web content that exists on darknets. It is not searchable by search engines and requires specific software, configurations, or authorization to access.
“This leak contains sensitive data of customers, clients, API keys, usernames and passwords of employees and administrators, access data base, reserve shell access to servers.
“Initial access was gained by using several IDOR vulnerabilities on their platforms to achieve full code execution. Access to private keys used to sign JSON Tokens allows elevation from INVESTOR to Admin, meaning access and approval of ultimate funds.
“Starting bidding price is set at $50k. You need to have the current bid amount in your wallet to see a sample,” the advert read.
Sennaike who became so inquisitive said the bid had risen to $250,000 which he could afford, however, he took a step further to look at the validity of the sample data.
“The manipulation of some details would have led to a total compromise of the fintech. I stopped there and reported it to the organisation. After a back and forth for a while, they temporarily patched.
“I decided to contact the hackers that posted their information for sale to attempt complex social engineering. I set up my evil ginx2 server and within three days, I had access to their data server. It contained several information about many banks in Nigeria and their customers.”
The expert narrated he looked at some of the information, which gave him an idea of the vectors they used to access the banks.
“It gave an idea of some initial entry vectors and how they could compromise most financial institutions. I validated many of them and will make sure to provide the attached list with the necessary proof,” he added.
When he searched the data, he found that the data belonging to the affected banks were breached.
Sennaike found, “Top 5 banks had Fat-pipe mVPN running on about four servers. This was managing the network for the bank. The problem with the version they were running is that it comes with a backdoor user with no password called “cmuser”. This user has administrative privileges with no restrictions and doesn’t appear on the logs. The FBI warned of this vulnerability in 2021, but this bank, with billions in revenue and profits, didn’t update. You could log in to the web console and use that to compromise their entire internal infrastructure.
“The bank mentioned earlier had exposed a file called “appsettings.json” on one of their domains. It was also found that at least 11 banks exposed this file on one server. This file contains internal API keys, passwords, and usernames of valid databases. This presented a further opportunity to compromise some of these banks.
“At least 40 banks had an SQL injection vulnerability on one of their servers. An info-sec consultant would know how deadly SQL injections are, as they give access to the database, modify users and details, edit information, and fully compromise the servers running the databases. An SQL injection is rated 9.8 out of 10, 10 being extremely critical. 90% of these SQL injections found on these banks allowed access as a Database Administrator (DBA).
“It was found that a top 3 bank ran an IBM server was running Axis2 with a default password (Axis2). This was critical because it allowed services to be deployed that allowed the server to be compromised.
“Once you compromise a server with an internal presence, moving laterally across the organisation and compromising the remaining servers is usually a walk in the park. An instance of this is shown below. Internal passwords are exposed, allowing you to move laterally and access crown jewel servers.”
Based on his findings, most Nigerian banks ran vulnerable versions of VPN servers, adding 8 banks had their password directory listed with a weak encoding tool.
He said, “About 70 per cent of banks ran vulnerable versions of Cisco VPN and Forti IOS. These vulnerable versions allow you to read the session details of the VPN users and the content of VPN servers. Many banks have their users connect from the outside into the bank using these VPNs to perform tasks. Access was gotten for some, while I decided not to exploit everyone because the sheer number of banks running these vulnerable VPNs was overwhelming.
” Five banks exposed log files such as Elmah log files. A particular financial institution even provided access to a drive containing logs. Log files always contain sensitive information. I didn’t have time to review the logs, but I know there will be juicy information.
” Eight banks had an exposed directory listing, with about 3 having sensitive information. One listing had usernames and passwords of bank staff base64 encoded, which could be decoded using an online tool. These were the details used to transfer funds daily. Every single username and password used every day to transfer funds was leaked.”
Explaining further, the cybersecurity expert added that no fewer than 30 banks ran exploitable web-logic servers which is vulnerable to hackers.
He explained, “Over 30 banks ran a vulnerable web-logic server that gave access to their servers. The Web-logic Server versions were from 12.2.1.1.0 to 12.2.1.4.0. These exploits to these servers are readily available and accessible, and easily exploitable. They were found on most Internet Banking servers. I validated it on a top 3 bank, and it has been patched.
“A particular payment company’s server ran PRTG with default access (prtgadmin:prtgadmin). This allowed me to control over 20 servers linked to the PRTG console and exploit them for access.
“About four banks ran custom “Moneytor” servers that exposed Jolokia interfaces. A quick search for Jolokia exploits shows you can access these servers within a few minutes. The example below is a server running the Internet banking application for a particular bank. Full details of the server.
” A top 5 bank had an exchange server with a critical vulnerability that allowed access to the server and also allowed to get every single email. This could be used in BEC scams as malicious emails could be sent to everyone, and at least 1% would click the link leading to mass compromise.
“Search for leaks on GitHub and be surprised by the number of valid passwords and usernames of bank servers and staff being leaked to everyone. At least 99% of banks had a valid leaked password on GitHub. Think about how easy it is to get details of your organisation on GitHub. Type: the “mybankwebsite.com” password and see interesting passwords belonging to that bank.”
Do you have any information or event for ABUJAPRESS to publish or cover? Kindly Call us on +2349075556668 or send us message on Whatsapp number +2349075556668 or send us an email [email protected]
.jpeg)
No comments