In Nepal, it seems like cyber-attacks are becoming a bit of a trend, with government and private websites feeling the heat. We all have seen these security folks waving their flags, trying to warn Nepali companies about holes in their systems, but sometimes it feels like they are just shouting into the void. Remember when Foodmandu and Vianet got breached and got a taste of this in 2020? Well, now Nepal Rastra Bank also joined the club.
On Sunday, December 17, 2023, a user named “badbuddha” posted in a Dark web forum, claiming to possess the source code and sensitive information of Nepal’s largest bank, Nepal Rastra Bank, with an asking price of $10,000.
“I want to sell this data because while I reported lots of bugs, they did not respond well. I need money, that’s why I want to sell. This is one of the largest banks in Nepal,” the post mentions.
Although Nepal Rastra Bank was not explicitly named, the mention of its revenue made it evident. The post quickly got circulated, catching the attention of Techpana and circulating among cybersecurity groups like Pentester Nepal. Nepal Rastra Bank‘s response was cautious, with an employee stating to Techpana, “It is not possible to say whether what the hacker claims is true or not, it may be. We have done a very good security update lately. From our point of view, it should not be.”
However, the bank took decisive action on February 22, 2024, by filing a claim with the Cyber Bureau to investigate the matter. Subsequently, on the 14th of March, authorities arrested 26-year-old Navraj Lamichhane, residing in Kaski, Pokhara, in connection with the incident.
How was Navraj arrested?
The Cyber Bureau’s investigation revealed that the IP addresses 27.34.48.211 and 27.34.48.163 were engaged in persistent attempts to access Nepal Rastra Bank’s web applications without authorisation. Upon further detailed examination, it was discovered that these IP addresses were associated with a user known as “pradip67 fpkhr”.
As per the username, it seems like the ISP was Pokhara Internet Pvt Ltd. Through cooperation with the ISP and Nepal Telecom, law enforcement traced the user of these IP addresses to Navraj Lamichhane. Following this revelation, a case was promptly filed against Lamichhane under the Electronic Transactions Act, 2008. With the court’s approval, an arrest warrant was issued, and Lamichhane was arrested in coordination with the Cyber Bureau and District Police Office Kaski.
How did Navraj manage to steal the data?
Navraj Lamichhane was discovered to have utilised multiple automated tools, generating a significant amount of traffic from his IP address. According to Lamichhane, he used to study bugs and vulnerabilities on various websites on the Internet in his spare time. He used to study ethical hacking, web development, and digital forensics on the internet.
Lamichhane used “Google Dorking” techniques to delve deeply into Nepal Rastra Bank’s domain, which allowed him to see the information that is generally not available in public search results. Google Dorking is a technique that allows to extraction of hidden information by using Google operators to search specific strings of text inside the search results.
He further utilised automated tools like WPScan to scan Nepal Rastra Bank websites which were built using WordPress, searching for vulnerabilities associated with specific WordPress versions.
WPScan is an automated tool that identifies the WordPress version of a website and searches for publicly disclosed vulnerabilities (CVEs) associated with that version. By sending a large number of HTTP requests, WPScan tests for these vulnerabilities on the website’s server, a method Lamichhane also employed on Nepal Rastra Bank’s WordPress subdomains.
Lamichhane also mentioned discovering the root domain and Git directory of Nepal Rastra Bank. Tools like “Git-dumper” can be used to extract data, including source code and sensitive information, from these disclosed Git directories. Furthermore, Lamichhane was found injecting code to execute attacks like “Remote Code Execution” and “Local File Inclusion.”
Remote Code Execution is a vulnerability that allows attackers to remotely inject malicious code onto a server, gaining complete control of the compromised machine. Local File Inclusion grants access to locally stored files on the server, potentially exposing sensitive information.
Some files on the server are not intended to be accessible to the public. Attackers identify a weak parameter to inject code to perform an attack like “LFI”, granting them access to view all files stored locally on the system. This method was utilised by Lamichhane on Nepal Rastra Bank’s server, enabling him to access the sensitive files.
Lamichhane further utilized tools such as “Wayback URL” to explore past URLs and enumerate multiple parameters. He also employed automated tools like “SQLmap” to execute “SQL injection” attacks, enabling him to manipulate the database’s data. SQL Injection involves injecting malicious SQL commands to access or manipulate a database’s data.
Additionally, Lamichhane used tools like “nMap” to identify open ports and other info and further used “gobuster” to brute-force and enumerate hidden endpoints. Tools like “Nuclei” aided in identifying vulnerabilities and their CVEs, while other automated tools were used to enumerate subdomains and execute injection attacks to gain unauthorized access.
Lamichhane further used network intercepting tools like “Burp Suite” to manually test for all those scripts, and payloads.
How did the police identify his IP?
Due to his extensive use of automated tools, Lamichhane’s computer was continuously sending a barrage of requests to Nepal Rastra Bank’s server. These tools tirelessly probed for vulnerabilities, launching numerous HTTP requests and attempting various injection commands.
Consequently, upon inspecting the system logs, the police discovered the IP addresses 27.34.48.211 and 27.34.48.163, which were repeatedly sending multiple requests with different scripts in an attempt to gain unauthorised access.
What was Navraj’s intention?
Initially, Navraj was focused on reporting vulnerabilities to Nepal Rastra Bank. He claims to have sent these reports to the bank, but he felt his efforts were disregarded. According to an employee from the bank’s IT department with 21 years of experience, Navraj contacted them by phone to highlight weaknesses in the ‘online bidding system software’.
Subsequently, the employee relayed this information to the system provider, who assured them that the issue had been addressed. However, shortly after, a cybersecurity researcher alerted them that Nepal Rastra Bank’s source code had appeared for sale on the dark web.
Navraj expressed his frustration on the dark web forum, stating, “I want to sell this data because while I reported lots of bugs, they did not respond well. I need money, that’s why I want to sell.” He alleges that his reports were ignored, leading him to the decision to sell the data for financial gain.
Is it wrong to find and report vulnerabilities? Is Navraj a culprit?
In my personal opinion, yes, Navraj is indeed a culprit. Users are not permitted to conduct injection attacks without prior authorisation and permission.
There have been numerous similar cases where users, even with good intentions, reported vulnerabilities to a company, only to face legal action later for unauthorised access. While Navraj may have had good intentions, he failed to seek permission.
It’s like robbing a bank and then informing the bank about the method used to commit the robbery. Navraj misused his knowledge and ultimately leaked the data, which is a crime.