How a known flaw turned into a Bank Breach?

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

How a known flaw turned into a Bank Breach?

Money used to exist as physical cash, but more recently it has taken the form of digits on screens, passed from one party to another through what should be secure, monitored transfer protocols. Although these transactions appear on users’ screens, they are actually managed by code running on servers in data centres.

Like the computers you’re familiar with, these servers operate on different software, both at the operating system level and at the application level. A typical bank will have a heavy-duty mainframe system to process the millions of transactions it handles each minute. This code is tightly controlled and difficult to breach. However, this system is connected to smaller networks that are often less secure. Your phone runs on Android or iOS. Most bank servers operate on one of the two popular Linux distributions: Red Hat Enterprise Linux or Oracle Linux. These are preferred enterprise distributions because they are backed by companies that provide security support and regular updates. If there’s a breach today, Red Hat or Oracle will provide a patch to their respective users.

Beyond the operating system, there is also the application layer. You’re reading this on your browser or email app. These servers use middleware such as WebLogic to coordinate the flow of data between user requests and the bank’s database. Vulnerabilities often exist within this "middle" layer. In this case, the issue was a remote code execution vulnerability in WebLogic first disclosed in a critical security advisory last year and labelled CVE-2025-61882.

Last week, ByteToBreach, a threat actor known for targeting Oracle-run servers (which underpin many banking servers), announced that it had breached Sterling Bank, Nigeria’s ninth-largest bank, using a flaw disclosed as early as October 2025. The attackers themselves noted the irony, describing the bank’s security as "an open door," and pointing out that the vulnerability had remained unpatched for months. ByteToBreach also compromised Remita, although through a different attack vector. In this case, they targeted API integrations to extract transaction metadata. 

As of now, there has been no public disclosure from the affected institutions or Nigerian regulators, who are in the process of establishing a new “cybersecurity coordination council”) on the cases. It also remains unclear whether forensic investigations are ongoing or whether the companies have successfully removed the actor's persistence from their networks.

FEATURES

• Email scams on the rise

• Liberia’s national ID issuance grinds to halt over $1.7M debt to service provider

HEADLINE

• WhatsApp fraud ring targeting Tanzanian elites exposed in Tabora

• Internet access is banned for those under 16 in Senegal

• Niger: President Tiani officially launches the new biometric national identity card

• Cybersecurity directive launched to safeguard Ghana’s financial sector

• Women in cybersecurity promotes data protection among students

• Rwanda launches Pan-African cybersecurity community (ICCA)

• Tanzania’s data protection commission issues final warning ahead of April enforcement deadline

• Digital ID registration to continue after Kigali rollout ends

• CBN sets tough cybersecurity timeline for banks

• Statistics South Africa data breach: XP95 ransomware group targets HR database

ACROSS THE WORLD

• Nissan says stolen data came from third-party vendor after hacking group claims breach

• Cambodia extradites alleged cyber scam linchpin to China as crackdown intensifies

See you next week.