Breach Notification , Compliance , Cybersecurity
Hackers Dump Massive Archive of Internal Files Online
A massive tranche of nearly 10GB of files alleged to be from Sharjah, UAE-based InvestBank appears to have been dumped online by the hacking group "Bozkurtlar" - Turkish for "Gray Wolves" - on May 7. The zip archive released by the attackers appears to contain internal files and sensitive financial documents, including InvestBank customers' data.
See Also: State-of-the-Hack: The Top 10 Security Predictions
The Bozkurtlar hacker or hacking group appears to have Turkish ties, and also claimed credit for a similar data dump on April 26, involving Doha-based Qatar National Bank. In that case, leaked customer data for QNB was quickly posted online by the Cryptome.org whistleblower site (see: Qatar National Bank Suffers Massive Breach).
Following the InvestBank data dump, Information Security Media Group has attempted to reach bank officials for comment, so far without success. But several experts ISMG has contacted are working on verifying the contents of the data dump. Based on their preliminary analysis, the data so far appears to be genuine. The data includes approximately 100,000 payment card numbers - for both MasterCard and Visa-branded cards - as well as bank statements for more than 3,300 InvestBank customers, ATM transaction records, extensive details relating to InvestBank's employees, plus property records, scans of identity documents and assorted other sensitive files. As of press time, the bank's internet banking link also remains offline.
The data dump follows Bozkurtlar having announced on Twitter, following the QNB leak, that it would soon be releasing hacked data from another bank based in the Middle East. Early on May 6, India Standard Time, the group released the InvestBank data into the wild, and tagged Twitter handles for ISMG - amongst other media organizations - to announce the data dump (see: QNB Confirms Leak, Downplays Damage).
@Cryptomeorg @ChaToX @omarbv @APACinfosec @Jason_A_Murdock @d_plusk @simeonkerr Full DB + files from InvestBank UAE https://t.co/wzcRzkhBpC
What's Inside the Data Dump?
The dumped data appears to include a massive amount of information tied to InvestBank's systems, including SQL databases and some backup folders. Speaking on condition of anonymity, one expert who's reviewed the data says it appears to date from 2011 to September 2015.
Customer data included in the leak includes copies of ID documents, photographs of individuals, documents relating to land purchases - such as stamp papers and financials, as well as bank statements and nearly 100,000 credit card numbers, including expiry dates in clear text. Security researchers, however, note that customer credentials such as account passwords and PINs appear to be encrypted.
The dump also contains comprehensive details on InvestBank's IT setup, including clear-text credentials for its production systems and Windows servers, many of which appear to have been using easily guessable vendor default passwords (see Why Are We So Stupid About Passwords?). Screenshots of server settings and diagrams of server and data center layouts have also been found in the dump, in addition to details of VPN setups with the bank's branch offices.
The dump also appears to contain complete details of InvestBank's Oracle FLEXCUBE core banking solution implementation, including costs, deliverables, scope of work, licensing information and the entire database pertaining to InvestBank's FLEXCUBE implementation.
In addition to customer banking data, complete details for InvestBank's employees, including contact numbers, email addresses, mailing address and nationality-related information, and including everyone from the board of directors down to office boys, appear to be in the dump, one expert notes. One security researcher has also independently studied a random sampling of the data relating to Indian employees, and found that the leaked data correlates with information available on those individuals' public-facing social media accounts.
Linked to Previous Leak?
In December 2015, a hacker broke into InvestBank's systems and released records for thousands of customers, after the bank refused to pay the $3 million bitcoin ransom demanded by the attacker, Dubai-based Xpress first reported. While the Xpress piece has since been taken offline, Wired and others have also reported on the InvestBank data leak. But it's not clear to date if the data leaker hacked the bank's systems, or obtained the information in a different manner.
Security experts who have reviewed the data contained in the new leak say they believe it's genuine, but add that there is always the possibility that it may have been compiled from previous data leaks or hack attacks.
@APACinfosec @Cryptomeorg @nitinbhatnagaar data appears legit however likely republished from a separate late-2015 breach
The MasterCard and Visa payment card information in the dump appears to have been issued by an entity other than the bank - namely, Network International LLC - based on a review of the bank identification number attached to the data.
ISMG continues to consult with experts who are analyzing the data and will continue to track and share updates on this developing story. The Bozkurtlar attackers have also posted to Twitter a snapshot of folders - sorted by country names of hacks - that they apparently intend to disclose in the near future.
@hackread @aramosf @Jason_A_Murdock @d_plusk @simeonkerr who asked me about the news? take . tomorrow - new pic.twitter.com/OnJmHQFtJg