Information security architect, David Sennaike has discovered an account selling hacked data of 90% of Nigerian banks and their clients after stumbling upon an online advertisement on the “dark web.”
Sennaike came across a post in January announcing they were auctioning off the private data of a Nigerian fintech, access to servers, username and password, Application Programming Interface (API) keys, and private customer data.
The specialist who has been working in the information security space for 12 years, made the details public on his Linkedin profile.
Financial institutions of all types, including deposit money banks, marchant banks, micro finance banks, and fintech, are impacted.
The content of darknets’ portions of the Internet is referred to as the dark web. It can only be accessed with special software, setups, or authorization and cannot be searched by search engines.
“This leak contains sensitive data of customers, clients, API keys, usernames and passwords of employees and administrators, access data base, reserve shell access to servers.
“Initial access was gained by using several IDOR vulnerabilities on their platforms to achieve full code execution. Access to private keys used to sign JSON Tokens allows elevation from INVESTOR to Admin, meaning access and approval of ultimate funds.
“Starting bidding price is set at $50k. You need to have the current bid amount in your wallet to see a sample,” the advert read.
According to The Whistler, Sennaike who became so inquisitive said the bid had risen to $250,000 which he could afford, however, he took a step further to look at the validity of the sample data.
READ ALSO: Victor Osimhen can become Africa’s next Ballon d’Or winner – George Weah
“The manipulation of some details would have led to a total compromise of the fintech. I stopped there and reported it to the organisation. After a back and forth for a while, they temporarily patched.
“I decided to contact the hackers that posted their information for sale to attempt complex social engineering. I set up my evil ginx2 server and within three days, I had access to their data server. It contained several information about many banks in Nigeria and their customers.”
The expert described how he looked at some of the data and got a sense of the methods they employed to gain access to the banks.
“It gave an idea of some initial entry vectors and how they could compromise most financial institutions. I validated many of them and will make sure to provide the attached list with the necessary proof,” he added.
He discovered that the impacted banks’ data had been compromised when he searched the data.
“Top 5 banks had Fat-pipe mVPN running on about four servers,” Sennaike discovered. For the bank, this was network management. The issue with the version they were using is that it has a backdoor user named “cmuser” who doesn’t require a password. This user does not show up in the logs and has full administrative rights. In 2021, the FBI issued a warning about this vulnerability, but despite making billions in sales and profits, this bank didn’t respond. By entering the web console, you could utilise it to access their entire internal network.
“The bank mentioned earlier had exposed a file called “appsettings.json” on one of their domains. It was also found that at least 11 banks exposed this file on one server. This file contains internal API keys, passwords, and usernames of valid databases. This presented a further opportunity to compromise some of these banks.
“At least 40 banks had an SQL injection vulnerability on one of their servers. An info-sec consultant would know how deadly SQL injections are, as they give access to the database, modify users and details, edit information, and fully compromise the servers running the databases. An SQL injection is rated 9.8 out of 10, 10 being extremely critical. 90% of these SQL injections found on these banks allowed access as a Database Administrator (DBA).
“It was found that a top 3 bank ran an IBM server was running Axis2 with a default password (Axis2). This was critical because it allowed services to be deployed that allowed the server to be compromised.
“Once you compromise a server with an internal presence, moving laterally across the organisation and compromising the remaining servers is usually a walk in the park. An instance of this is shown below. Internal passwords are exposed, allowing you to move laterally and access crown jewel servers.”
Based on his research, eight banks had their password directory listed using a weak encoding technique, and the majority of Nigerian banks used susceptible VPN servers.
He said, “About 70 per cent of banks ran vulnerable versions of Cisco VPN and Forti IOS. These vulnerable versions allow you to read the session details of the VPN users and the content of VPN servers. Many banks have their users connect from the outside into the bank using these VPNs to perform tasks. Access was gotten for some, while I decided not to exploit everyone because the sheer number of banks running these vulnerable VPNs was overwhelming.
”Five banks exposed log files such as Elmah log files. A particular financial institution even provided access to a drive containing logs. Log files always contain sensitive information. I didn’t have time to review the logs, but I know there will be juicy information.
“Eight banks had an exposed directory listing, with about 3 having sensitive information. One listing had usernames and passwords of bank staff base64 encoded, which could be decoded using an online tool. These were the details used to transfer funds daily. Every single username and password used every day to transfer funds was leaked.”
The cybersecurity expert continued by explaining that no fewer than 30 institutions used exploitable Web-logic servers, which are open to attack.
He explained, “Over 30 banks ran a vulnerable web-logic server that gave access to their servers. The Web-logic Server versions were from 184.108.40.206.0 to 220.127.116.11.0. These exploits to these servers are readily available and accessible, and easily exploitable. They were found on most Internet Banking servers. I validated it on a top 3 bank, and it has been patched.
“A particular payment company’s server ran PRTG with default access (prtgadmin:prtgadmin). This allowed me to control over 20 servers linked to the PRTG console and exploit them for access.
“About four banks ran custom “Moneytor” servers that exposed Jolokia interfaces. A quick search for Jolokia exploits shows you can access these servers within a few minutes. The example below is a server running the Internet banking application for a particular bank. Full details of the server.
“A top 5 bank had an exchange server with a critical vulnerability that allowed access to the server and also allowed to get every single email. This could be used in BEC scams as malicious emails could be sent to everyone, and at least 1% would click the link leading to mass compromise.
“Search for leaks on GitHub and be surprised by the number of valid passwords and usernames of bank servers and staff being leaked to everyone. At least 99% of banks had a valid leaked password on GitHub. Think about how easy it is to get details of your organisation on GitHub. Type: the “mybankwebsite.com” password and see interesting passwords belonging to that bank.”
Get Faster News Update On: WhatsApp and Telegram