An SQL injection might have been used to exfiltrate sensitive financial information from the bank’s database, according to security researchers who analyzed data from a trove of internal files leaked from the Qatar National Bank (QNB).
After the data leak from the bank was released, a group of security experts analyzed the information given, and they are revealing their results now.
Omar Benbouazza was first alerted by a folder named ‘backup,’ to the assertion that the hackers might have used an SQL injection attack to extract the bank’s database content. He said, “According to the logs shared, the breach was done by one of the most frequent attacks, an SQL injection to the backend Oracle database server, using the ‘SQL map’ tool.”
“The attacker was extracting all the information and storing it in different ‘CSV’ and ‘TXT’ files, sorting by folder with an exact order. A known web shell, openDoc.jsp, was probably used to gain access to the host and control it – escalating privileges as User5, mainly to extract information.”
And when they checked the reams of the files, they saw it was exactly as they suspected.
Benbouazza explained that the so-called ‘web shell,’ can allow hackers to access the bank’s database remotely. It gives you the ability to copy, create, move and delete files according to him. Text files can also be edited, and other groups of files and folders can be put into one Zip folder that can be created instantly.
The researcher added that the hack had been made targeting the IP address 213.130.121.229, which is the server connected to mobile applications of Qatar National Bank. The server hosted apps.qnb.com and apps.qnb.com.qa according to data received from the VirusTotal registry. The bank was running known vulnerable software, which was a big mistake.
The compromised data, a massive 1.4 GB in size includes client information such as ID numbers, addresses and credit card information. Further investigations show that some hackers have already tried to make use of the leaked data and exploit it.
A separate analysis by cyber security expert Nitin Bhatnagar found out that the leaked information had approximately one million credit card details. Some cases also had ‘investigative’ information on popular social media accounts and close relatives was also there. This data might not have been collected in this way by the Qatar National Bank. However, they believe the hackers responsible had built the profiles for future targets.
The Qatar National Bank was contacted for comment but did not reply. Initially, when the news broke out that the bank had been hacked, they said their policy was not to comment on reports which were circulated on social media. However, they have admitted it is investigating the SQL injection hack incident.
