Null Mumbai 14th May News bytes by Dhawal Shah

News Bytes Chapter: Mumbai

May,2016

Dhawal Shah

./About_me

>> Part of Incident response team at HDFC bank

>> Student of M.Tech(Information Security) at

KJSCE,Mumbai

>> Fields of interest: SOC, SIEM, Computer Forensics

./Agenda

>> Panama Papers Leak.

>> Qatar National Bank Data Breach

>> Investigative summary of Bangladesh Bank Heist.

>> Other NEWS

Panama Papers Leak

./Panama_Papers >> 2.6 terabytes of leaked data

>> Email Server Hacked

>> Vulnerable front end of

Website.

./Panama_Papers >> Technical Flaws:

– Outlook Web Access login since 2009 and not updated its client login portal since 2013.

– Client portal was vulnerable to the DROWN attack.

– Drupal open source CMS, was last updated in August 2013

– Drupal had 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands.

– Directory Traversal

– WordPress version was three months out of date

– Emails were also not encrypted

./Panama_Papers

>> Suspected Methodology:

– Wordpress Revolution Slider vulnerability

– Versions of Revslider all the way up to 3.0.95 are

vulnerable to attack.

./Panama_Papers

>> Suspected Methodology:

– Web server and Mail server were on same network

– Web server was not behind a firewall

– Sensitive data was accessible though Web Based Portal

./Panama_Papers

>> Suspected Methodology:

– Exploiting Wordpress Revolution Slider vulnerability

– Demo: https://player.vimeo.com/video/161966079

./Panama_Papers

>> Suspected Methodology:

– Other Possible Vulnerability Exploited:

– Two plugins were used in addition to Revolution slider:

• WP SMTP plugin

– ability to send mail from your website via a mail server

– plugin stores email server address and login information in plain text in the WordPress

database

• ALO EasyMail Newsletter plugin

– to receive bounced emails from a mail server and automatically

remove those bounced mails from the subscriber list

– plugin also stores email server login information in the WordPress

database in plain text

./Panama_Papers

>> WP SMTP plugin

./Panama_Papers

>> ALO EasyMail Newsletter plugin

Qatar National Bank Data Breach

./QNB_Data_leak

>> Thousands of bank records, totalling 1.4GB of data

>> Uploaded to a file-sharing website called "global-

files.net“

>> Consisted of Critical Information

– bank credentials.

– telephone numbers.

– payment card details.

>>@bozkurthackers shared an online video claiming

responsibility for the breach

./QNB_Data_leak

>>Suspected Methodology

• Attacker Runs SQLMAP to identify the vulnerability

• Webshell was implemented

• Lateral movement to compromise rest of the database.

• Out of 11, 7database were exposed

• The data was arranged into nine various folders, including those

named “Al-Jazeera”, “Police Security”, “Defence and etc”, and

“Mukhabarat”.

Bangladesh Bank Heist

./Bangladesh_bank_Heist >> resulted in theft from the institutes' Federal Reserve bank account.

>>Total Loss incurred $81 million.

>>On Feb 5, 2016, Nearly 36 Requests hit Federal Reserve bank using spoofed Bangladesh Bank identity.

>>4 requests were got processed resulting in amount of $81 million.

>>5th transfer request had typo – error in the beneficiary account name “Shalika Foundation” named as “Fandation”.

>>This typo error caught by beneficiary bank ”Deutsche bank” brought eyes on the incident.

>>Possible attacked planed was about $950 Million.

./Bangladesh_bank_Heist

./Bangladesh_bank_Heist

./Bangladesh_bank_Heist >> Module Patching

./News >> Encryption Trends

– wordpress

– Whatsapp

– Blackberry

– Viber

>> Kiddicare Hacked! 794,000 Accounts Leaked

>> UserVoice Hacked! Users’ Accounts Breached

>> Google Suffers Insider Data Breach

>> London Clinic fined £180,000 for Leaking HIV Patients Data

>> Ransomware hits various companies.

Discussion…

Thank You!!