Fintech firms suffer data breaches due to critical Zoho flaws
A technology platform serving financial technology companies fell victim to a cyber attack that exposed sensitive end-user data. Most likely, the threat actors behind the breach exploited a critical vulnerability in Zoho’s ManageEngine product.
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) warned of a critical remote code execution (RCE) vulnerability in the Indian company’s ManageEngine program, warning that it has been exploited in the wild.
Rated 9.8 out of 10 on The Common Vulnerability Scoring System (CVSS), the flaw was patched by Zoho on June 24.
“This remote code execution vulnerability could allow attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360, and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products,” said Zoho in June, urging users to upgrade immediately.
Zoho has at least 80 million customers worldwide, including major companies such as Netflix, Amazon, Fortinet, Facebook, KPMG, Renault, HP and Tesla, among others.
CISA issued a warning “based on evidence of active exploitation.” The Cybernews Research team found one case where threat actors most likely exploited the critical flaw to breach an organization.
Hacked
A threat actor hacked into the BankingLab software-as-a-service (SaaS) banking platform, which serves fintech companies, giving away access to its clients’ servers and customers for free. It is believed that BankingLab had relied on ManageEngine to protect its network.
On September 24th, a new user on a popular hacker forum posted the following message: “Recently, we gained all server permissions to BankingLab and obtained all customer data, including the transaction flow of each customer’s user [and] identity information. Now I will share with you the data and master key of PAM360 password management system inside BankingLab which contains sshkey for internal services [and] different system and server passwords. Enjoy.”
BankingLab offers a “full stack of digital banking services” to financial technology (also called “fintech”) companies, including modules for customer account management, payment processing, card issuing, and providing loans and deposits. Their clients include Vialet, Simplex, Bankera and Perlas Finance.
“We help entrepreneurs with our technology, guiding you from business ideas to successful licensed financial institutions,” claims the company.
BankingLab is a brand owned by Baltic Amber Solutions (BAS), headquartered in Vilnius, Lithuania. In an interview with a local news channel in 2021, BAS CEO and co-founder Narimantas Bloznelis said: “We want to build a platform that corresponds to all fintech solution needs, and become a financial service Amazon.”
The Cybernews research team has investigated the leak posted by the threat actor and it turns out to be a SQL database dump and master key of the PAM360 password management system inside bankinglab.com. Short for “structured query language”, SQL is often used in programming and managing data and can be exploited as an attack vector by cybercriminals.
PAM (Privileged Access Management) is an advanced enterprise password manager – an authorization, authentication and access control system that manages credentials. Our internal investigation revealed that BankingLab was using PAM360 – a product from Zoho ManageEngine.
“A threat actor or actors who show evidence that they were able to access the database could potentially have taken over all of the customers’ accounts or even created their own account to further pivot and wreak havoc on the customers’ credentials,” said Mantas Sasnauskas, manager from the Cybernews team.
The threat actor leaked a 108MG strong database for free, and it contains a PostgreSQL dump with lots of log data and other sensitive information, such as email account settings, all user record settings, agent installation and mobile authorization keys, and other sensitive logs.
“The potential impact could be huge and depends on BankingLab’s response: whether they saw the breach in time, how long threat actors had access to their systems, and whether they gained access to customer systems as this opens avenues for a possible supply chain attack,” said Sasnauskas.
Response
“All cyber attacks are more complex. They are not just about one vulnerable product. The cyber attack was large-scale and sophisticated. It is obvious that threat actors have been preparing for it for a long time and in different ways, Bloznelis told Cybernews after confirming the cyber attack.
Bloznelis said he did not want to share more information about the attack while the investigation was ongoing, but would elaborate once it was over, adding that he had informed all affected clients. BankingLab also informed the Lithuanian State Data Protection Authority.
Cybernews contacted the Lithuanian Bank, an institution that oversees the affected fintech companies, and the Norwegian Data Protection Authority, and will update the article accordingly. It also contacted affected companies that appeared to know about the breach.
“Customers’ money is safe. There is no need to do anything. However, they should not forget that these are turbulent times and hackers are running wild, unleashing various attacks, exploiting social engineering to extract credentials, so customers need to be vigilant, Bloznelis said.
Lithuanian Bank said it was informed of the incident last Friday. “As far as we know, customers’ money is safe and the affected institutions have either resumed operations or will do so soon,” it told Cybernews.
The police and the National Cyber Security Center have also been informed of the incident.
More from Cybernews:
UK arrests teenage hacker days after Uber and Rockstar Games breach
21 hackers earned over $1 million on HackerOne
Apple gets rid of passwords: what could go wrong?
Why you pay more when brands suffer a data breach
30 million personal accounts hacked by pro-Kremlin cybercriminals
Subscribe to our newsletter
