Source: David Sennaike
David Sennaike, an Information Security Architect, came across a post online on the ‘dark web’ which was selling the private data of Nigerian banks. He decided to investigate further and these are his findings:
I am Sennaike David, an Information Security expert and bug bounty hacker. I’ve been in the information security space for 12 years while amassing some of the highest certifications possible in this field. My LinkedIn has been dormant since my university days as I have preferred to stay in the background and let my work speak directly to the clients and customers I relate with.
However, writing this article to sound a warning to the Nigerian financial system is expedient. It has become clear that many financial institutions in Nigeria are sitting ducks for a major cybersecurity-related incident. I will provide the necessary proof to back it up immediately.
It will be very important to say the following before I continue.
1. If you are a financial organisation listed on this Wikipedia page: https://en.m.wikipedia.org/wiki/List_of_banks_in_Nigeria, chances are you are affected as this covers at least 90% of all financial institutions on that page. If you oversee the security at these institutions, this article is for you.
2. I will post some redacted information to help some organisations identify themselves. I can’t post details for everyone, as this would make the post too cumbersome.
3. I’ve reported some of what I will discuss to a few organisations in the previous month. So, if you have already patched them, you can skip this article.
Around January, I came across a post on the dark web stating they were selling the private data of a Nigerian fintech, access to servers, username and password and API keys, and private customer data.
I saw the post and couldn’t buy the items because of how expensive they were, so I decided to check the validity of some of their sample data. To my surprise, they were valid, and the security situation of the fintech was lacking. From investigations, I could view any user’s profile (including BVNs, phone numbers, Names, and Emails), edit all users, and manipulate different details.
The manipulation of some details would have led to a total compromise of the fintech. I stopped there and reported it to the organisation. After a back and forth for a while, they temporarily patched.
I decided to contact the hackers that posted their information for sale to attempt complex social engineering. I set up my evil ginx2 server to phish them on the dark web, and within three days, I had access to their data server. It contained several information about many banks in Nigeria and their customers.
I looked at some of the information, which gave me an idea of the vectors they used to access these banks. It gave an idea of some initial entry vectors and how they could compromise most financial institutions. I validated many of them and will it make sure to provide the attached list with the necessary proof.
1. A top 5 bank had Fat-pipe mVPN running on about four servers. This was managing the network for the bank. The problem with the version they were running is that it comes with a backdoor user with no password called “cmuser”. This user has administrative privileges with no restrictions and doesn’t appear on the logs. The FBI warned of this vulnerability in 2021, but this bank, with billions in revenue and profits, didn’t update. You could log in to the web console and use that to compromise their entire internal infrastructure.
2. The bank mentioned earlier had exposed a file called “appsettings.json” on one of their domains. It was also found that at least 11 banks exposed this file on one server. This file contains internal API keys, passwords, and usernames of valid databases. This presented a further opportunity to compromise some of these banks.
3. At least 40 banks had an SQL injection vulnerability on one of their servers. An info-sec consultant would know how deadly SQL injections are, as they give access to the database, modify users and details, edit information, and fully compromise the servers running the databases. An SQL injection is rated 9.8 out of 10, 10 being extremely critical. 90% of these SQL injections found on these banks allowed access as a Database Administrator (DBA).
4. It was found that a top 3 bank ran an IBM server was running Axis2 with a default password (Axis2). This was critical because it allowed services to be deployed that allowed the server to be compromised. Once you compromise a server with an internal presence, moving laterally across the organisation and compromising the remaining servers is usually a walk in the park. An instance of this is shown below. Internal passwords are exposed, allowing you to move laterally and access crown jewel servers.
5. About 70 per cent of banks ran vulnerable versions of Cisco VPN and Forti IOS. These vulnerable versions allow you to read the session details of the VPN users and the content of VPN servers. Many banks have their users connect from the outside into the bank using these VPNs to perform tasks. Access was gotten for some, while I decided not to exploit everyone because the sheer number of banks running these vulnerable VPNs was overwhelming.
6. 5 banks exposed log files such as Elmah log files. A particular financial institution even provided access to a drive containing logs. Log files always contain sensitive information. I didn’t have time to review the logs, but I know there will be juicy information.
7. 8 banks had an exposed directory listing, with about 3 having sensitive information. One listing had usernames and passwords of bank staff base64 encoded, which could be decoded using an online tool. These were the details used to transfer funds daily. Every single username and password used every day to transfer funds was leaked.
8. Over 30 banks ran a vulnerable web-logic server that gave access to their servers. The Web-logic Server versions were from 188.8.131.52.0 to 184.108.40.206.0. These exploits to these servers are readily available and accessible, and easily exploitable. They were found on most Internet Banking servers. I validated it on a top 3 bank, and it has been patched.
9. A particular payment company’s server ran PRTG with default access (prtgadmin:prtgadmin). This allowed me to control over 20 servers linked to the PRTG console and exploit them for access.
10. About four banks ran custom “Moneytor” servers that exposed Jolokia interfaces. A quick search for Jolokia exploits shows you can access these servers within a few minutes. The example below is a server running the Internet banking application for a particular bank. Full details of the server.
11. A top 5 bank had an exchange server with a critical vulnerability that allowed access to the server and also allowed to get every single email. This could be used in BEC scams as malicious emails could be sent to everyone, and at least 1% would click the link leading to mass compromise.
12. Search for leaks on GitHub and be surprised by the number of valid passwords and usernames of bank servers and staff being leaked to everyone. At least 99% of banks had a valid leaked password on GitHub. Think about how easy it is to get details of your organisation on GitHub. Type: the “mybankwebsite.com” password and see interesting passwords belonging to that bank.
All I have listed above are initial vectors to access an internal system; from there, total infrastructure compromise will be possible. Internal servers have 20 times more critical exploits than internet-facing servers. This could lead to unauthorised access to customers’ accounts. Installing ransomware on all servers to lock access to all servers thereby customers can’t have access to their funds. Having access to any customer’s private information and using that information to commit crimes or siphon funds.
The above exploits listed from 1-12 only represent about 5% of all total critical exploits I found. It is alarming that every bank has at least five critical vulnerabilities that could be exploited to gain complete access to its infrastructure. After all, they conduct penetration tests every quarter. This begs the question of who are the professionals conducting these penetration tests, and are they just running tools and scanners blindly and not doing the manual work? I say this because doing the manual work guaranteed the exploitation of every bank on that Wikipedia page. Is the Nigerian banking system a ransomware disaster waiting to happen?
Financial institutions as a whole need to do better. Get better-trained professionals to conduct full penetration tests and SOC monitoring. Certifications shouldn’t be the only requirement when critical infrastructure needs to be pen tested.
Bug Bounty programs in Nigeria should be encouraged. This exposes you to many talented hackers willing to test your platforms and report crucial vulnerabilities for a fee. You will discover that international companies with good bug bounty programs rarely get hacked. International platforms like Hacker One allow hackers to test thousands of companies while paying the hackers millions a month without a contract. Only some companies in Nigeria are listed there, like MTN and Pay Stack. This shouldn’t be the case.
The hackers’ server containing the data I saw is still active and can be accessed. I didn’t download it or view customer data. I checked some initial vectors of compromise, and if you are a top bank official and need to access your data on their server or need more information on items discussed, you can send a private message.
Source: David Sennaike