Cyber Incident Victim: BankingLab
Date:
Sep 2022
Location:
Lithuania
Summary
A fintech software-as-a-service platform suffered a data breach after threat actors exploited a critical vulnerability in Zoho's ManageEngine product, compromising sensitive customer information. The attackers gained full server permissions and accessed transaction flows, identity data, and an SQL database dump containing user logs, email settings, and authorization keys. They also obtained the master key for a password management system, posing risks of account takeovers and further attacks on downstream financial institutions. The organization confirmed the incident, notified affected clients and authorities, while financial regulators assured customer funds remained secure but advised vigilance. Several fintech firms relying on the platform were impacted, though some stated login credentials were not immediately compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late September 2022, BankingLab, a software-as-a-service platform providing digital banking solutions to fintech companies, suffered a data breach resulting from the exploitation of a critical vulnerability in Zoho’s ManageEngine product. The vulnerability, a remote code execution flaw in ManageEngine rated 9.8 out of 10 on the CVSS scale, had been patched by Zoho on June 24 but remained actively exploited in the wild, prompting a warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) days before the BankingLab incident. Threat actors leveraged this vulnerability to compromise BankingLab’s network, which relied on ManageEngine for protection. On September 24, a hacker forum user publicly claimed to have obtained full server permissions and access to BankingLab’s customer data, including transaction flows and identity information. The attacker offered to distribute the master key for BankingLab’s PAM360 password management system, which contained SSH keys and system passwords, and shared an SQL database dump comprising user logs, email settings, and authorization keys. This breach exposed sensitive operational and customer data from BankingLab’s fintech clients, which included Vialet, Simplex, Bankera, and Perlas Finance.
The breach posed significant risks, including potential account takeovers and lateral attacks against BankingLab’s clients. BankingLab’s CEO confirmed the cyberattack but declined to disclose specifics while an investigation was ongoing. The company notified affected clients and relevant authorities, including law enforcement and cybersecurity agencies. The Lithuanian Bank, which supervises several affected fintech firms, assured customers their funds remained secure but advised vigilance. One client, ConnectPay, stated its login data was not compromised but acknowledged uncertainty about future repercussions. The incident highlighted threats to interconnected fintech ecosystems, as attackers could exploit centralized platforms to target multiple downstream businesses. BankingLab’s reliance on a known but unmitigated vulnerability underscored the operational consequences of delayed security updates, while the public release of credential master keys and database dumps amplified the potential for secondary attacks.