Fintech firms suffer data breach due to critical Zoho flaw


A technology platform servicing financial technology companies fell victim to a cyberattack that exposed sensitive end-user data. Most likely, threat actors behind the breach exploited a critical vulnerability in Zoho’s ManageEngine product.

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) warned of a critical remote code execution (RCE) vulnerability in the Indian company’s ManageEngine program, warning it has been exploited in the wild.

Rated 9.8 out of 10 on the The Common Vulnerability Scoring System (CVSS), the bug was patched by Zoho on June 24.

ADVERTISEMENT

“This remote code execution vulnerability could allow attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360, and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products,” Zoho said in June, urging users to upgrade immediately.

Zoho has at least 80 million customers worldwide, including big companies like Netflix, Amazon, Fortinet, Facebook, KPMG, Renault, HP, and Tesla, among others.

CISA issued a warning “based on evidence of active exploitation.” The Cybernews Research team found one instance where threat actors most likely exploited the critical flaw to breach an organization.

The hack

A threat actor hacked into the BankingLab software-as-a-service (SaaS) banking platform, servicing fintech companies, and is giving away access to its clients' servers and customers for free. It is believed that BankingLab had been relying on ManageEngine to protect its network.

Add on a hacker forum

On September 24, a new user on a popular hacker forum posted the following message: “Recently, we have obtained all server permissions of BankingLab and obtained all customer data, including the transaction flow of each customer's user [and] identity information. Now I will share the data and master key of the PAM360 password management system inside BankingLab with you, which contains the sshkey of internal services [and] various system and server passwords. Please enjoy.”

BankingLab provides a “full stack of digital banking services” to financial technology (aka “fintech”) companies, including modules for customer account management, payment processing, issuing cards, and providing loans and deposits. Its clients include Vialet, Simplex, Bankera, and Perlas Finance.

ADVERTISEMENT

“We help entrepreneurs with our technology, guiding you from business ideas to successful licensed financial institutions,” the company claims.

BankingLab is a brand owned by Baltic Amber Solutions (BAS), which is headquartered in Vilnius, Lithuania. In an interview with a local news outlet in 2021, BAS head and co-founder Narimantas Bloznelis said: “We want to build a platform corresponding to all fintech solution needs, and to become a financial services Amazon.”

The Cybernews research team has investigated the leak posted by the threat actor, and it turns out to be an SQL database dump and master key of the PAM360 password management system inside bankinglab.com. Short for “structured query language”, SQL is commonly used in programming and managing data and can be exploited as an attack vector by cybercriminals.

PAM (Privileged Access Management) is an advanced password manager for businesses – an authorization, authentication, and access control system that manages credentials. Our internal investigation revealed that BankingLab was using PAM360 – a product of Zoho ManageEngine.

“Threat actor or actors showing proof that they managed to gain access to the database potentially could have taken over all of the customers' accounts or even created their own account to further pivot and wreak havoc on customers’ credentials,” said Mantas Sasnauskas, head of the Cybernews team.

The threat actor leaked a 108MG-strong database for free, and it contains a PostgreSQL dump with lots of log data and other sensitive information, such as mail account settings, all user mail settings, agent installation and mobile authorization keys, and other sensitive logs.

Proof of leak

“The potential impact could be immense and depends on BankingLab’s response: whether they saw the breach on time, how long threat actors had access to their systems, and whether they have gained access to customer systems as this opens ways for a possible supply-chain attack,” Sasnauskas said.

Response

“All cyberattacks are more complex. They are not just about one vulnerable product. The cyberattack was large-scale and sophisticated. It is obvious that threat actors have been preparing for it for a long time and in different ways,” Bloznelis told Cybernews after confirming the cyberattack.

ADVERTISEMENT

Bloznelis said he didn’t want to share any more information about the attack while the investigation was pending but would elaborate once it was over, adding that he had informed all affected clients. BankingLab also informed the Lithuanian State Data Protection Inspectorate.

Cybernews reached out to Lithuanian Bank, an institution that supervises the affected fintech companies, and the State Data Protection Inspectorate, and will update the article accordingly. It also contacted affected companies that seemed to know about the breach.

“Customers’ money is safe. There’s no need to take any action. However, they shouldn’t forget that these are turbulent times and hackers run wild, unleashing different attacks, exploiting social engineering to extract credentials, so customers need to remain vigilant,” Bloznelis said.

Lithuanian Bank said it was informed about the incident last Friday. “To our best knowledge, customers’ money is safe, and the affected institutions have either resumed their operations or will do so shortly,” it told Cybernews.

Law enforcement and the National cybersecurity center have also been informed about the incident.

ConnectPay, one of the Bankinglab clients, said that its customers’ login information and IDs were not affected by the incident. However, it didn’t rule out the possibility of “all possible consequences of the incident” before the investigation was over.

“Recently, there’s been an increase in cyberattack targeting fintech companies. Just a week ago, another online bank suffered a cyberattack, affecting some customer data. Given the information war and the increased attack volume since the Russian invasion of Ukraine, ConnectPay has taken additional measures to secure data and boost cybersecurity. It intends to keep strengthening its cybersecurity posture in the future.”