Critical Takeaways from QNB Hack Incident

It has been identified by the security researchers that an SQL injection might have been used to exfiltrate sensitive financial information from the bank’s database, according to security researchers who analyzed data from a bunch of data folders leaked from the Qatar National Bank.

Alerted by a leaked folder named ‘backup,’ there is a strong assertion from the security researchers that the hackers should have used an SQL injection attack to extract the bank’s database content. As per then according to the logs shared, the breach was done by one of the most frequent attacks, an SQL injection to the backend Oracle database server, using the ‘SQL map’ tool. Than the attacker might have extracted all the information and stored it in different ‘CSV’ and ‘TXT’ files, sorting by folder with an exact order.

A known web shell, openDoc.jsp, was probably used to gain access to the host and control it and then escalating privileges as users, mainly to extract information. This is what was found by the security researchers when they checked the reams of the files. They have found what they had suspected. Also it was identified that the hack had been made targeting the IP address 213.130.121.229, which is the server connected to mobile applications of Qatar National Bank. The server hosted apps.qnb.com and apps.qnb.com.qa according to data received from the VirusTotal registry.

The bank was running a web shell utility which is a known vulnerable software, which was a big mistake. The ‘web shell,’ can allow hackers to access the bank’s database remotely. It gives the ability to copy, create, move and delete files according to him. Text files can also be edited, and other groups of files and folders can be put into one Zip folder that can be created instantly.

The security researchers also have informed that many of the leaked files could have been part of the hacker’s own research, and had nothing to do with QNB. The breached bank data could have been used by the hackers to build up profiles of specific individuals in order to launch subsequent attacks by looking into their Facebook and Twitter account details.

The inclusion of folders on particular groups of individuals, such as Al Jazeera staff and defense and intelligence personnel, indicates that the hacker’s motives could be more political than financial.

Who was responsible?

In a recent development, a user behind one Twitter account (@bozkurthackers) claimed to the IBTimes UK that he or she was responsible for hacking the QNB website. “We are the ones who hacked the Qatar National Bank and more,” the anonymous person claimed.
The user has posted images of the alleged SQL injection alongside a slideshow-style video featuring images from the data dump and a selection of credit card data. However, this could have easily been uncovered online without perpetrating the hack. However a complete picture about how the compromised data was collated, the identity of the person or persons responsible for the hacking incident is yet to be drawn.

Find the details of investigation undertaken by security experts OMAR in the below link:

https://www.omarbv.com/?p=4464&lang=en

 Vulnerabilities posing Data Leak Threats like the QNB Case

  • Insecure storage or transmission of PII (Personally identifiable Information) and other sensitive business information.
  • Password hacked or revealed (This could lead to compromise of data, compromised systems, and people using our accounts without our knowledge).
  • Missing “patches” and updates (Hackers can take advantage of vulnerabilities in operating systems (OS) and critical applications if they are not properly patched or updated. This could put all the data on those unpatched systems and other connected systems at risk).
  • Improperly configured or unsafe software’s.
  • Application vulnerabilities and wrong configurations of applications and servers.
  • Unrestricted/not reviewed access to databases and servers.

How we can safeguard ourselves from the above mentioned vulnerabilities :

  • Restrict Data access in a strictly need to know basis.
  • Conduct quarterly Vulnerability Assessment and Penetration testing exercise on quarterly basis for all IT Assets [Both Internal and External] and Mobile Application through consulting partners as well as upon any major changes within application or updates on our systems also upon deployment of any new application or servers/ devices within the existing IT infrastructure.
  • Ensure that organization doesn’t use vulnerable software such as web shell.- Review the elevated access privileges given to critical databases and servers in a periodic basis.
  • Ensure proper physical security of electronically and physically restricted data wherever it exists in the organization.
  • Securely delete personal identity information (PII) and other restricted business data when it will be no longer needed for business purposes.
  • Carry out annual Security Risk Assessments of critical systems.
  • Get the annual risk assessment conducted for the entire organization to identify the risks that are potential for the organization.
  • Implement information security standards like ISO 27001, PCI-DSS for the payment card data security.
  • Ensure ongoing Information Security Awareness among employees.
  • Classify and manage information Assets based on classification
  • Implement an SIEM solution supported by daily log reviews
  • Track data movement out of the organization through a DLP solution
  • Monitor data leakage into social media in an ongoing basis

Arrange a Conversation 

Browse

Article by channel:

Read more articles tagged: Featured, Hacking

Cyber Security