Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
QNB Confirms Leak, Downplays DamageImportant Information Security Questions Remain Unanswered
Following a massive data leak, Qatar National Bank has confirmed that its systems may have been hacked. A group with Turkish ties has claimed credit for the attack and reportedly threatened to release information from a second bank hack.
In a statement provided to Information Security Media Group May 1 confirming that its systems may have been breached, the bank also commented on compromised data that was posted online. "While some of the data recently released in the public domain may be accurate, much of it was constructed and contains a mixture of information from the attack as well as other non-QNB sources, such as personal data from social media channels."
The bank also says it believes that the leak wasn't targeted at its customers, but instead designed only to damage the bank's reputation - although it offered no evidence to back up that assertion.
QNB says it's hired a third-party expert to review its systems.
The QNB leak involves a massive collection of documents that were posted April 26 to the online whistleblower site Cryptome. The leaked information, which totals 1.4 GB, includes internal corporate files and sensitive financial and personal data for QNB's customers, including Qatar's Al Thani royal family and the family-funded media organization Al Jazeera. The leak also revealed apparent intelligence dossiers.
A group with Turkish ties calling itself Bozkurtlar - or Grey Wolves - has claimed credit for the hack in a video first circulated April 25 via Twitter, one day before the QNB leak was publicly revealed.
The group claimed on its Twitter account, before it was taken down, to also have breached a second, unnamed bank, and obtained records that date back to 2001, which it plans to soon release.
QNB Attempts to Downplay Leak
Following the breach, QNB continued to characterize the incident as being an "alleged hack," until its statement on May 1. But multiple customers named in the leak, as well as one researcher, had already confirmed to ISMG that leaked usernames and passwords appeared to work.
Security engineer and RootedCON organizer Omar Benbouazza tells ISMG - and documents further in a blog post - that the QNB attacker used a SQL injection attack. Security researchers at Trend Micro have also published similar conclusions.
QNB Bank has continued to insist that the leak will have no financial impact on it, or its customers. Multiple attempts to exploit the leaked credentials, however, have been reported by the bank's customers in the week following the breach, as noted in multiple media reports.
The bank also noted in its statement that the attack targeted a portion of its Qatar-based customers.
Trend Micro's blog suggests that the attackers may have been after more than just easily monetizable payment card and personal data. The presence of sensitive data apart from banking data, such as individual profiles and what appear to be intelligence dossiers, has led some to speculate that attackers may have had other, as yet unknown motives.
@nitinbhatnagaar @Cryptomeorg yeah it smells very heavily. Seems real but curated and targeted.— Friedrich Lindenberg (@pudo) April 26, 2016
Unanswered Security Questions
The details in the hacked data raise questions about QNB's information security practices, experts say, including why the sensitive data appeared to not be encrypted, and why the exfiltration of 1.4 GB of data was not detected. An analysis published by Trend Micro suggests that the QNB Bank breach began in July 2015.
Qatar Bank did not immediately respond to a request for comment about whether the leaked customer information was being encrypted both at rest and in transit.
Information expert Nitin Bhatnagar, a cybersecurity researcher and business development head for cybersecurity firm SISA Information Security, says his analysis of the data dump reveals that all data tables were in plain text, suggesting a lack of encryption. But it remains unclear whether QNB had neglected to encrypt primary account data or if attackers were able to decrypt the data.
In a blog post, Abhay Bhargav, CTO at Sunnyvale, Calif.-based security firm we45, says that the breach appeared to be an application-driven pivot attack involving attackers compromising one application, then taking advantage of poor network-based and application-based security controls to pivot gain access to more internal systems.
"In this case, the attackers seemed to have attacked QNB's internet banking application and gained access to their payment switch and possibly their core banking application," he says.
Security expert - and former banking CISO - Onkar Nath also questions why so much of the sensitive data in the leak is in plain text. "Either the bank stored primary account data in plain text or the encryption was broken. If it is the latter, this would make it a clear violation of the bank's Payment Card Industry's Data Security Standard compliance, which most entities handling card data usually follow," he says.
Nath also cites multiple researchers reporting that they used leaked data to initiate a successful login attempt, after which the online banking system interface told the researcher that a secure one-time PIN - or OTP - had been sent to the mobile phone number on file for that account. Nath says that providing a confirmation that a login attempt has been successful - or not - should always be avoided by banks.
Because the dump contains bank customers' mobile phone numbers, that puts them at risk of fraud, he says, because many services in Asia and the Middle East now use secure OTPs via SMS for two-factor authentication, he says. But mobile phone providers in India have previously been fooled into issuing SIM cards for stolen phone numbers to fraudsters, who can then begin logging into targets' online bank accounts, receive the OTP, and then empty victims' bank accounts.
Security engineer Benbouazza says that the leak of customers' personal information now leaves them exposed. "While most of the data is old, thousands of credit cards still work," he says. Together with the leaked personally identifiable information, including mobile phone numbers, email addresses and mailing addresses, the bank is now at risk for more targeted attacks, he warns.