Table of
Contents

Banner for article showing redacted content and PNB logo

CyberX9 research team's latest finding

[.c-text-bg-p] Punjab National Bank [.c-text-bg-p] — India's top public bank — [.c-text-bg-pink]kept severely compromising the security of[.c-text-bg-pink] [.c-text-bg-red]funds, personal and financial information[.c-text-bg-red] of [.c-text-800-2]over 180 million[.c-text-800-2] (all) of it’s customers for [.c-text-underline]~7 months[.c-text-underline]

✍️21 November 2021

[.c-box-inline]Summary[.c-box-inline]

Our research team discovered a very critical security issue in Punjab National Bank (PNB) on 17th November 2021, which was leading to access to highest level privileges of administrator in an internal server of PNB hence exposing a massive number of PNB’s systems nationwide wide open to the whole internet for cyber attacks for the last ~7 months.

The vulnerability which we discovered in the crucial and sensitive PNB server could've allowed any malicious attacker to achieve highest level of admin privilege. If you gain such access, specially like here to such server through which a large number of computers are connected to, then the doors very easily open to get access to any computer in the network. These computer systems even include those that are being used in their branches and other departments. An attacker could've potentially had the ability to remotely execute any code on them, steal data, make transactions, get complete control of such connected computer systems.

The vulnerability we discovered in PNB is an actively exploited vulnerability worldwide. Malicious attackers have been exploiting this vulnerability worldwide for around last seven months but still PNB didn't fixed it before we discovered it.

There is high possibility that malicious attackers might’ve already exploited this vulnerability in PNB to infiltrate into their systems to steal funds or personal and financial data of over 180 million (all) of it's customers. PNB needs a thorough security audit of all of it’s systems since they could've been covertly infiltrated into already and just patching this vulnerability now after ~7 months simply won't help secure the bank and customers fund and data again. We don't know if there are malicious attackers still in their systems. Until such audit has been done PNB can’t be considered secure.

PNB could’ve easily fixed the vulnerability discovered by us now, in May 2021 with just a security update to a server application but they didn’t. This shows PNB’s utter carelessness towards security of funds, personal and financial data of, over 180 million (all), of it’s customers.

What potential impact does it have on the security of funds, personal and financial data of over 180 million customers affected? 🤕

This is a very critical vulnerability with massive impact for example a malicious attacker can potentially among many other possibilities (or might’ve already happened, we can’t find that out but only a detailed security audit of PNB can):

[.c-text-bg-red]_1._[.c-text-bg-red] Steal customer’s and bank’s own funds from the bank

[.c-text-bg-red]_2._[.c-text-bg-red] Steal all confidential financial and personal data of all PNB customers (literally any and all the data people as a customer gives or the PNB have about it's customers)

[.c-text-bg-red]_3._[.c-text-bg-red] Steal all sensitive and confidential emails of the whole bank (all employees)

[.c-text-bg-red]_4._[.c-text-bg-red] Send malicious emails from PNB employees email addresses (of all employees even CEO/MD)

[.c-text-bg-red]_5._[.c-text-bg-red] Taking control of – for example., doing transactions, etc. – of all of PNB’s digital banking (both internal and customer)

[.c-text-bg-red]_6._[.c-text-bg-red] Disrupt bank’s operations completely

[.c-text-bg-red]_7._[.c-text-bg-red] Compromise complete security of the bank

[.c-text-bg-red]_8._[.c-text-bg-red] Encrypt all the data for a very large scale ransomware attack. Ransomware attackers are actively using such vulnerabilities worldwide to do ransomware attacks. Using such access and to the bank’s systems, ransomware attackers would encrypt all the data which will result in bank’s operations collapsing and bank being forced to pay ransom of millions of dollars to malicious attackers.

[.c-script-wrapper-2][.c-box-script-2]PNB have put funds, personal and financial data of all (over 180 million) of their customers at massive risk due to this vulnerability for the last ~7months and only fixed the vulnerability after CyberX9 discovered and responsibly reported it through CERT-In and NCIIPC.[.c-box-script-2][.c-script_bottom-star][.c-script_bottom-star][.c-script_top-star][.c-script_top-star][.c-script-wrapper-2]

Some prominent past incidents of such fines on organizations for such security negligence:

Under GDPR law, famously British Airways and Marriott have all received fines over €10,000,000 for GDPR violations where they exposed customer data and were fined for insufficient technical and organisational measures to ensure information security (similar to CDSL). You can see other fines made under GDPR privacy law for cyber security negligence here.

[.c-row-flex][.c-box-pink]“In July 2019, Equifax settled a lawsuit stemming from its 2017 data breach, which exposed the personal information of 147 million people. Under the settlement with the FTC, CFPB and state attorneys general, Equifax has agreed to spend up to $425 million to help people affected by the data breach.” — Source[.c-box-pink][.c-text-column][.c-text-column][.c-row-flex]

Why did this happened❓

Utter carelessness

Leaving your servers wide open for around seven months, for a massive cyber attack which could've (or might've already?) lead to malicious attackers stealing customers hard earned money, personal and financial data — only since PNB can't be bothered to follow the most basic cyber security practices, is nothing but utter carelessness towards the security of customers funds and sensitive data.

PNB's false promises of security

[.c-box-wrapper][.c-box]“Security is our top priority.” — PNB mentions in multiple places on their website[.c-box][.c-box-wrapper]

[.c-box-wrapper][.c-box]Doesn't bother to fix a critical security vulnerability for ~7 months and puts over 180 million (all) of it’s customers funds, personal and financial data at risk—evident truth, in reality[.c-box][.c-box-wrapper]

The fact that not only PNB's server was vulnerable to a very critical security vulnerability but that they didn't even fixed it for around seven months, just proves that they don't even stand remotely on their promises of security.

No security contact

PNB doesn’t even mention a way to contact their security team (if that even exists) to responsibly report security vulnerabilities. In contrast, most companies and banks nowadays do mention such contact since it helps researchers quickly report security issues to companies.

How we got the vulnerability fixed? 🔧

PNB doesn’t have any cyber security contact to responsibly report security vulnerabilities mentioned anywhere which is extremally bad practice in todays time. As a result, we had to report about the vulnerability through the Government of India’s CERT-In and NCIIPC, which coordinates responsible disclosure of critical vulnerabilities in India.

Below is our timeline of communication with both CERT-In and NCIIPC.

[.c-text-bg-pink]1. CERT-In[.c-text-bg-pink]

18th Nov 2021: Reported to CERT-In

18th Nov 2021: They responded saying:

[.c-box-wrapper][.c-box]“Thank you for reporting this incident to CERT-In. We have registered your complaint/incident under CERTIn-10084121. We are in process of taking appropriate action with the concerned authority.”[.c-box-wrapper][.c-box]

19th Nov 2021: Our research team checked if the vulnerability has been fixed or not yet and it was found that the vulnerability is fixed now.

[.c-text-bg-pink]2. NCIIPC[.c-text-bg-pink]

18th Nov 2021: Reported to NCIIPC

18th Nov 2021: They responded saying:

[.c-box-wrapper][.c-box]“1. We acknowledge the issue reported by you. 2. We are in the process of verification and remediation in coordination with the respective stakeholder(s) and look forward to your continued contribution.”[.c-box-wrapper][.c-box]

19th Nov 2021: Our research team checked if the vulnerability has been fixed or not yet and it was found that the vulnerability is fixed now.

What should be done now? 🔭

There is an urgent and important need for an independent and fair security audit of Punjab National Bank ordered by the Government of India. Since:

[.c-text-bg-pink]_1._[.c-text-bg-pink] there is high possibility that malicious attackers might’ve already exploited this vulnerability in PNB since it is a widely exploited vulnerability and PNB have been vulnerable to it for the last ~7 months. The attackers might've stolen a big amount of funds or sensitive data or there might be attackers still inside their systems.

[.c-text-bg-pink]_2._[.c-text-bg-pink] their security practices and posture clearly appears to be in a very horrible state which doesn't only puts PNB at risk but specially PNB's customers funds, personal and financial information at great amount of risk.

PNB needs a thorough security audit of all of it’s systems since they could've been covertly infiltrated into already and just patching this vulnerability now after ~7 months simply won't help secure the bank and customers fund and data again.

For the scale of PNB’s network (extremely large number of systems which includes like computers in bank branches and other servers), it'll take at least more then a month even for a very large team of skilled security and forensic engineers to re-secure everything and find and clean up any infiltration. Until then PNB can’t be considered secure.

What companies can do to avoid such issues? 🛑

We strongly recommend companies not to take cyber security as an optional thing but as one of the most important things to do. All companies should get regular security testing of their applications done by experienced and skilled cyber security service providers to avoid such security vulnerabilities. Especially banks and similar financial organizations, which handles massive amounts of sensitive and confidential data of millions of people, should have continuous security testing of their applications done by skilled cyber security service providers.


Subscribe to our newsletter to get our upcoming findings in your inbox!

[.c-button-modal]Subscribe now![.c-button-modal]


Press: for any questions relating to this finding, feel free to contact us at press@cyberx9.com

Subscribe to our newsletter to get our latest finding in your inbox!

We won't spam you but only send content you'll like and you can unsubscribe anytime.