InvestBank UAE Breached?Hackers Dump Massive Archive of Internal Files Online
(This story has been updated with analysis from iSight Partners, May 9, and a statement from InvestBank, May 10.)
See Also: Threat Intelligence - Hype or Hope?
A massive tranche of nearly 10GB of files alleged to be from Sharjah, UAE-based InvestBank appears to have been dumped online by the hacking group "Bozkurtlar" - Turkish for "Gray Wolves" - on May 7. The zip archive released by the attackers appears to contain internal files and sensitive financial documents, including InvestBank customers' data.
The Bozkurtlar hacker or hacking group appears to have Turkish ties, and also claimed credit for a similar data dump on April 26, involving Doha-based Qatar National Bank. In that case, leaked customer data for QNB was quickly posted online by the Cryptome.org whistleblower site (see: Qatar National Bank Suffers Massive Breach).
Following the InvestBank data dump, Information Security Media Group has attempted to reach bank officials for comment, so far without success. But several experts ISMG has contacted are working on verifying the contents of the data dump. Based on their preliminary analysis, the data so far appears to be genuine. The data includes approximately 100,000 payment card numbers - for both MasterCard and Visa-branded cards - as well as bank statements for more than 3,300 InvestBank customers, ATM transaction records, extensive details relating to InvestBank's employees, plus property records, scans of identity documents and assorted other sensitive files. As of press time, the bank's internet banking link also remains offline.
The data dump follows Bozkurtlar having announced on Twitter, following the QNB leak, that it would soon be releasing hacked data from another bank based in the Middle East. Early on May 6, India Standard Time, the group released the InvestBank data into the wild, and tagged Twitter handles for ISMG - amongst others - to announce the data dump (see: QNB Confirms Leak, Downplays Damage).
What's Inside the Data Dump?
The dumped data appears to include a massive amount of information tied to InvestBank's systems, including SQL databases and some backup folders. Speaking on condition of anonymity, one expert who's reviewed the data says it appears to date from 2011 to September 2015.
Customer data included in the leak includes copies of ID documents, photographs of individuals, documents relating to land purchases - such as stamp papers and financials, as well as bank statements and nearly 100,000 credit card numbers, including expiry dates in clear text. Security researchers, however, note that customer credentials such as account passwords and PINs appear to be encrypted.
The dump also contains comprehensive details on InvestBank's IT setup, including clear-text credentials for its production systems, switches, routers, virtual machines and Windows servers - many of which appear to have been using easily guessable vendor default passwords (see: Why Are We So Stupid About Passwords?). Screenshots of server settings and diagrams of server and data center layouts have also been found in the dump, in addition to details of VPN setups with the bank's branch offices.
The dump also appears to contain complete details of InvestBank's Oracle FLEXCUBE core banking solution implementation, including costs, deliverables, scope of work, licensing information and the entire database pertaining to InvestBank's FLEXCUBE implementation.
In addition to customer banking data, complete details for InvestBank's employees, including contact numbers, email addresses, mailing address and nationality-related information, and including everyone from the board of directors down to office boys, appear to be in the dump, one expert notes. One security researcher has also independently studied a random sampling of the data relating to Indian employees, and found that the leaked data correlates with information available on those individuals' public-facing social media accounts.
Linked to Previous Leak?
In December 2015, a hacker broke into InvestBank's systems and released records for thousands of customers, after the bank refused to pay the $3 million bitcoin ransom demanded by the attacker, Dubai-based Xpress first reported. While the Xpress piece has since been taken offline, Wired and others have also reported on the InvestBank data leak. But it's not clear to date if the data leaker hacked the bank's systems, or obtained the information in a different manner.
Security experts who have reviewed the data contained in the new leak say they believe it's genuine, but add that there is always the possibility that it may have been compiled from previous data leaks or hack attacks.
The MasterCard and Visa payment card information in the dump appears to have been issued by an entity other than the bank - namely, Network International LLC - based on a review of the bank identification number attached to the data.
ISMG continues to consult with experts who are analyzing the data and will continue to track and share updates on this developing story. The Bozkurtlar attackers have also posted to Twitter a snapshot of folders - sorted by country names of hacks - that they apparently intend to disclose in the near future.
Update: Threat-intelligence firm iSight Partners says the leak - perpetrated by actors using the names 'Bozkurt Hackers' and 'AntiQNB' - appears to correlate with the 2015 InvestBank leak. "This new claimed leak of InvestBank data seems to corroborate our previous suggestion that there may be a link between these actors and 'Hacker Buba,' who leaked data from InvestBank in November 2015," it says in a research note. "The May 6 leak is significantly larger than the 250 MB of InvestBank data leaked in November 2015 or the 7.6 GB of InvestBank data that 'bozkurt.3754' provided a link to in an underground forum post in March 2016."
Update II: In a statement to ISMG on May 10, an InvestBank stressed that no new hack has taken place. "This is the same set of old data [from a previous incident] that has been released again for unknown reasons," the bank says. "We have not been contacted by anyone, [and are] unable to speculate on the motives or confirm whether or not it is the same group." InvestBank acknowledged that it suffered a data breach last December, but declined to provide details (More here: Hackers Leak Data of 5 South Asian Banks).
This story has been updated with analysis from iSight Partners, May 9, and InvestBank's statement, May 10.