News Bytes Chapter: Mumbai
May,2016
Dhawal Shah
./About_me
>> Part of Incident response team at HDFC bank
>> Student of M.Tech(Information Security) at
KJSCE,Mumbai
>> Fields of interest: SOC, SIEM, Computer Forensics
./Agenda
>> Panama Papers Leak.
>> Qatar National Bank Data Breach
>> Investigative summary of Bangladesh Bank Heist.
>> Other NEWS
Panama Papers Leak
./Panama_Papers >> 2.6 terabytes of leaked data
>> Email Server Hacked
>> Vulnerable front end of
Website.
./Panama_Papers >> Technical Flaws:
– Outlook Web Access login since 2009 and not updated its client login portal since 2013.
– Client portal was vulnerable to the DROWN attack.
– Drupal open source CMS, was last updated in August 2013
– Drupal had 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands.
– Directory Traversal
– WordPress version was three months out of date
– Emails were also not encrypted
./Panama_Papers
>> Suspected Methodology:
– Wordpress Revolution Slider vulnerability
– Versions of Revslider all the way up to 3.0.95 are
vulnerable to attack.
./Panama_Papers
>> Suspected Methodology:
– Web server and Mail server were on same network
– Web server was not behind a firewall
– Sensitive data was accessible though Web Based Portal
./Panama_Papers
>> Suspected Methodology:
– Exploiting Wordpress Revolution Slider vulnerability
– Demo: https://player.vimeo.com/video/161966079
./Panama_Papers
>> Suspected Methodology:
– Other Possible Vulnerability Exploited:
– Two plugins were used in addition to Revolution slider:
• WP SMTP plugin
– ability to send mail from your website via a mail server
– plugin stores email server address and login information in plain text in the WordPress
database
• ALO EasyMail Newsletter plugin
– to receive bounced emails from a mail server and automatically
remove those bounced mails from the subscriber list
– plugin also stores email server login information in the WordPress
database in plain text
./Panama_Papers
>> WP SMTP plugin
./Panama_Papers
>> ALO EasyMail Newsletter plugin
Qatar National Bank Data Breach
./QNB_Data_leak
>> Thousands of bank records, totalling 1.4GB of data
>> Uploaded to a file-sharing website called "global-
files.net“
>> Consisted of Critical Information
– bank credentials.
– telephone numbers.
– payment card details.
>>@bozkurthackers shared an online video claiming
responsibility for the breach
./QNB_Data_leak
>>Suspected Methodology
• Attacker Runs SQLMAP to identify the vulnerability
• Webshell was implemented
• Lateral movement to compromise rest of the database.
• Out of 11, 7database were exposed
• The data was arranged into nine various folders, including those
named “Al-Jazeera”, “Police Security”, “Defence and etc”, and
“Mukhabarat”.
Bangladesh Bank Heist
./Bangladesh_bank_Heist >> resulted in theft from the institutes' Federal Reserve bank account.
>>Total Loss incurred $81 million.
>>On Feb 5, 2016, Nearly 36 Requests hit Federal Reserve bank using spoofed Bangladesh Bank identity.
>>4 requests were got processed resulting in amount of $81 million.
>>5th transfer request had typo – error in the beneficiary account name “Shalika Foundation” named as “Fandation”.
>>This typo error caught by beneficiary bank ”Deutsche bank” brought eyes on the incident.
>>Possible attacked planed was about $950 Million.
./Bangladesh_bank_Heist
./Bangladesh_bank_Heist
./Bangladesh_bank_Heist >> Module Patching
./News >> Encryption Trends
– wordpress
– Blackberry
– Viber
>> Kiddicare Hacked! 794,000 Accounts Leaked
>> UserVoice Hacked! Users’ Accounts Breached
>> Google Suffers Insider Data Breach
>> London Clinic fined £180,000 for Leaking HIV Patients Data
>> Ransomware hits various companies.
Discussion…
Thank You!!
