Security experts analysing the trove of internal files leaked from the Qatar National Bank claim an 'SQL injection' could have been used to exfiltrate sensitive financial information from the bank's database, IBTimes UK has learned.
After the data dump was released, a number of tech-savvy security experts analysed the information and then spoke to IBTimes UK about their findings.
A folder marked 'backup' first alerted security researcher Omar Benbouazza to the possibility that an SQL attack could have been used to extract the bank's database content. "According to the logs shared, the breach was done by one of the most common attacks, a SQL injection to the backend Oracle database server, using the 'sqlmap' tool," he said.
"The attacker was extracting all the information and storing it in different 'CSV' and 'TXT' files, sorting by folder with a thorough order. A known web shell, openDoc.jsp, was probably used to gain access to the host and control it - escalating privileges as User5, mainly to extract information."
Indeed, when checked, the reams of files were found to be stored in this way and in those formats.
"Known vulnerable software"
As Benbouazza explained, this so-called 'web shell', could have allowed a hacker to remotely access the bank's database. "You can copy, create, move and delete files," he explained. "Text files can be edited and groups of files and folders can be downloaded as a single Zip file that's created on the fly."
He added: "It looks like the hack was made targeting the IP 126.96.36.199, that is the server connected to mobile applications. That IP address was hosting apps.qnb.com and apps.qnb.com.qa according to VirusTotal registry. The bank [made] a big mistake running known vulnerable software."
As previously reported, the compromised data, which was 1.4GB in size, included customer information, ID numbers, names, addresses and credit card information. As part of our ongoing investigations, IBTimes UK revealed that hackers had already attempted to exploit the leaked information.
Based on separate analysis from cybersecurity expert Nitin Bhatnagar, the leaked data contains approximately one million credit card details. In some cases, 'investigative' information on social media accounts and close family members was also featured. This data is not thought to have been collated in this way by the Qatar bank. Instead, the security experts believe the hacker responsible was using the bank's data to build 'profiles' of future targets.
IBTimes UK contacted QNB for comment but received no response at the time of publication. When the news of the data leak first broke, the bank said it was policy "not to comment on reports circulated via social media". However, QNB has since admitted it is investigating the incident.
Who is responsible?
In a recent development, a user behind one Twitter account (@bozkurthackers) claimed to IBTimes UK that he or she was responsible for hacking the QNB website. "We are the ones who hacked the Qatar National Bank and more," the anonymous person claimed.
The user posted images of the alleged SQL injection alongside a slideshow-style video featuring images from the data dump and a selection of credit card data. However, this could have easily been uncovered online without perpetrating the hack. So, while a clearer picture is starting to emerge about how the compromised data was collated, the identity of the person – or persons – responsible for the breach still remains unknown.
This is a developing story. IBTimes UK is still in the process of verifying the entire leak. It remains unknown how current the data is – and how or when it made its way into the public domain.