Commercial Bank Hacked?: Hackers Use SQL Injection Attack

Commercial Bank, based in Colombo, Sri Lanka, has apparently been hacked, with its data posted online May 12 by the Bozkurtlar hacking group, which has also posted seven other data dumps from banks in the Middle East and Asia since April 26.

The group, believed to have Turkish ties, released data from five South Asian banks on May 10. It also dumped data online from UAE-based InvestBank on May 7 and data from Qatar National Bank on April 26.

Commercial Bank of Ceylon did not immediately reply to Information Security Media Group's request for comment. But a researcher analyzing the data involved, who asked to remain anonymous, says that the hacked data appears to be genuine.

The files from the latest disclosure appear to contain the entire contents of the corporate website of the Commercial Bank of Ceylon, the researcher says, explaining that no customer data or payment card information was apparently exposed in the incident. The dump appears to have occurred in November of last year, which suggests the compromise took place before that, according to the researcher.

As with the other bank data compromises in the region in recent weeks, the attackers notified ISMG and others via Twitter about the file dump, which apparently was relatively quickly taken offline. Commercial Bank of Ceylon's web services at www.combank.net appear to have been taken offline briefly post the disclosure. The website was functional on May 13.

Data Dump Contents

The dump contains 158,276 files in 22,901 folders and is about 6.97 GB uncompressed. The compromised data contains annual reports, application forms, bank financial statements, .PHP files, web development backups and other files needed for the functioning of the bank's corporate front-end web infrastructure, the researcher tells ISMG.

A sample file from the Commercial Bank of Ceylon dump

The attackers appear to have compromised the bank's systems using a SQL injection attack and uploading a Web Shell - a script that enables remote administration - onto the bank's PHP server, the researcher says. He bases this conclusion on the presence of artifacts from the hack in the data dump, including logs and files the indicate where the SQL injection was used and where the Shell was injected.

Bozkurtlar attackers had posted on Twitter, on a handle which has since been taken offline, that they would continue posting data from Asian and Middle Eastern banks, after the first dump of data from QNB. 

Many have been questioning the motives of the Bozkurtlar attackers, given the lack of any hacktivist message, announcement or reports of attempts at blackmail. However, analysis has revealed some common patterns and methods in the attacks, the researcher claims.

 

Source - http://www.bankinfosecurity.com/