Sterling Bank Plc: Breach Technical Analysis
On March 18, 2026, a threat actor operating under the alias ByteToBreach gained unauthenticated remote code execution on Sterling Bank Plc’s internet-facing pilot infrastructure by exploiting CVE-2025-55182, a publicly disclosed and patchable vulnerability in a React-based web application framework. Initial access was achieved at 5:49 pm Lagos time against the host enf-pilot.sterling.ng.
Over the nine days that followed, the actor deployed persistence mechanisms, conducted internal network enumeration across Sterling Bank’s OpenShift/Kubernetes cluster, extracted hardcoded AES encryption keys from JavaScript bundles, exploited broken access controls across multiple internal API surfaces, accessed the Temenos T24 core banking SOAP API without appropriate authorisation, and pivoted laterally into Cardinal Stone Partners’ database infrastructure via a phpMyAdmin instance with administrative access.
The actor published findings on DarkForums.su on March 27, 2026, claiming compromise of approximately 900,000 customer accounts and 3,009 employee records.
WSL’s independent analysis of the published artefacts confirms that the claims are technically substantiated.
You can read the full narrative breakdown here, including timelines and exposure.
Key Findings
| Finding | Detail |
|---|---|
| Initial access vector | CVE-2025-55182 — unauthenticated RCE, React framework. Publicly known and patchable. |
| Persistence | Sliver C2 framework, MTLS beaconing on port 443 to 152.32.180.243 |
| Internal attack surface | 168 open services on 172.27.0.0/16 including dev servers in production pods |
| Cryptographic failure | AES keys hardcoded in Next.js JavaScript bundle |
| Core banking exposure | Temenos T24 SOAP APIs callable without customer-level authorisation controls |
| Credit bureau exposure | CRC bureau API queryable via BVN — full consumer profiles returned |
| Third-party compromise | Cardinal Stone Partners — phpMyAdmin admin access, full investment database |
| Regulatory exposure | NDP Act 2023 |
Attack Timeline
| Timestamp (GMT) | Event |
| 2026-03-18 16:49:41 | CVE-2025-55182 exploit fires against enf-pilot.sterling.ng. Shell opens. Actor IP 206.217.216.145 → 196.41.84.199:3034. |
| 2026-03-18 — 21 | Reconnaissance: Kubernetes env enumeration, Swagger mapping, port scan, AES key extraction, custom tooling downloaded from C2. |
| 2026-03-22 04:31:35 | Sliver C2 first check-in. Session ACCESSIBLE_OUTLAY. Host: enf-fe-pilot-6c5c9f48b. Alpine Linux, amd64, kernel 5.14. MTLS → 152.32.180.243:443. |
| 2026-03-22 — 23 | Employee API enumeration. Dump V1 (2,215 records), Dump V2 (2,237 records). Temenos T24 SOAP exploitation begins. Second Sliver session DAMP_SHIRT established. |
| 2026-03-23 03:41:26 | CRC bureau API queried using CEO BVN. Full credit profile returned. |
| 2026-03-23 | Temenos account/transaction data extracted (Dumps V3, V4). Cardinal Stone phpMyAdmin access established. |
| 2026-03-27 | Forum post published on DarkForums.su. All artefacts made public. |
Initial Access: CVE-2025-55182
Vulnerability
CVE-2025-55182 is an unauthenticated remote code execution vulnerability in a React-based web application framework. It permits an attacker to send a malformed request to an exposed endpoint and execute arbitrary OS commands with the privileges of the application process, no authentication required.
The vulnerability was publicly disclosed and patched prior to March 2026. It was formally catalogued in the NVD, making it available to any organisation with a functioning vulnerability management programme.
Exploitation Details
| Parameter | Value |
| Exploit module | multi/http/react2shell_unauth_rce_cve_2025_55182 |
| Target host | enf-pilot.sterling.ng |
| Actor C2 (RHOST/LHOST) | 206.217.216.145 |
| Actor listener | 206.217.216.145:4444 |
| Victim endpoint | 196.41.84.199:3034 |
| Timestamp | 2026-03-18 16:49:41 UTC |
| Post-exploitation user | nextjs (UID 1001, GID 65533) |
| Environment | OpenShift pod: Alpine Linux, Node.js application container |
Institutional Failure Analysis
Exploitation of CVE-2025-55182 required three simultaneous conditions: (1) the vulnerable software version was deployed to an internet-accessible host; (2) the available patch was not applied; (3) no compensating control blocked or detected the exploit. All three held. The pilot environment designation does not mitigate the exposure enf-pilot.sterling.ng had a public DNS record, an internet-routable IP, and sufficient internal connectivity to serve as a viable entry point into the production cluster.
Based on available evidence, Sterling Bank did not have a vulnerability management process covering non-production environments. A publicly known, patchable CVE remained unmitigated on an internet-facing host.
Persistence
Deployment Details
| Parameter | Value |
| Framework | Sliver (open-source C2, adopted by criminal and APT actors since 2022) |
| Session name 1 | ACCESSIBLE_OUTLAY |
| Host 1 | enf-fe-pilot-6c5c9f48b (OpenShift pod) |
| Session name 2 | DAMP_SHIRT |
| Host 2 | 4c1ce4744c9a (Tomcat-based pod — lateral movement) |
| OS | Alpine Linux, amd64 |
| Kernel | 5.14.0-284.82.1.el9_2.x86_64 (OpenShift 4.x compatible) |
| C2 transport | MTLS (Mutual TLS) on port 443 |
| C2 endpoint | 152.32.180.243:443 |
| Beacon interval | 60 seconds |
| First check-in | 2026-03-22 04:31:35 UTC |
Detection Evasion
MTLS beaconing on port 443 blends with legitimate HTTPS traffic and evades network inspection that does not perform TLS interception. Pod-level deployment means host-based detection that does not extend into container workloads produces no signal. The 60-second beacon interval is slow enough to blend with normal keep-alive patterns.
Internal Reconnaissance
Kubernetes Environment Variable Enumeration
Kubernetes injects service discovery information as environment variables into every pod. The actor ran env inside the Sliver session, immediately revealing the complete internal service topology without additional tooling. Selected extracted endpoints:
STERLING_PRO_V2_PAPPS_TRANSFER_PILOT_SERVICE_HOST=172.27.162.87
STERLING_PRO_V2_ACCOUNT_PILOT_PORT_443_TCP_ADDR=172.27.120.72
ONETOKEN_ADMIN_PILOT_PORT=tcp://172.27.94.46:3000
KUBERNETES_PORT=tcp://172.27.0.1:443
STERLINGPROV2_ADMINFRONTEND_PILOT_SERVICE_HOST=172.27.86.161
STERLING_PRO_V2_BILLSPAYMENT_PILOT_PORT_443_TCP=tcp://172.27.8.144:443
STERLING_PRO_V2_DASHBOARD_PILOT_PORT_443_TCP=tcp://172.27.181.155:443
DISPUTERESOLUTION_FE_PILOT_SERVICE_HOST=172.27.198.114
IKOLLECT_FE_PILOT_PORT_443_TCP_ADDR=172.27.79.248
TORRISTA_FE_PILOT_SERVICE_HOST=172.27.146.121
Port Scan Results
Internal scan of 172.27.0.0/16, 168 open services discovered:
| Port | Count | Service | Risk Assessment |
| 443 | 93 | HTTPS/TLS | Standard |
| 80 | 59 | HTTP unencrypted | Medium: unencrypted internal traffic |
| 4200 | 4 | Angular dev server | HIGH: development build in production |
| 1990 | 4 | Unknown/legacy | Medium: uninventoried service |
| 3000 | 2 | Node.js/Express | Medium: likely admin or internal API |
| 8090 | 2 | Tomcat management | High management interface exposure |
| 5173 | 1 | Vite dev server | CRITICAL: dev build tool in production |
| 9002 | 1 | Unknown | Medium |
| 9040 | 1 | Unknown | Medium |
Critical finding: Angular dev servers (port 4200, 4 instances) and a Vite dev server (port 5173) running in the production Kubernetes cluster. Development builds expose source maps, disable security headers, and enable debug endpoints. This indicates a CI/CD pipeline without enforced production build gates.
Swagger API Surface Mapping
The actor retrieved the complete internal API documentation from within the cluster:
wget https://uamapi-prod.apps.non-core-prod.sterlingbank.com/swagger/v1/swagger.json
# Result: 49,512 bytes, full endpoint inventory
Key endpoints extracted:
/api/Account/Login /api/Account/ProfileUsers
/api/Account/OTPValidator /api/Activity/GetLogs
/api/Activity/GetLogsByUsername/{username} /api/Activity/Export
/api/Application/GetApplicationsByUserId/{Id} /api/BankLocation/GetBranches
/api/Cryption/api/cryption/encryptResponse
/api/Cryption/api/cryption/decryptResponse
Cryptographic Failures
Hardcoded Secrets in JavaScript
The actor extracted AES encryption keys from Sterling Bank’s Next.js bundle using a simple string search on the server-side chunk file:
const fs = require(‘fs’);
const d = fs.readFileSync(‘/app/.next/server/chunks/9588.js’, ‘utf8’);
const m = d.match(/Bearer|Authorization|apiKey|API_KEY|token|secret|
password|signAppKey|encrypt|decrypt|AES|crypto/gi);
console.log([…new Set(m)].join(‘\n’));
Keys extracted:
REACT_APP_ENCRYPTION_KEY: c2ZJNGw4bVJWQTVYN0xBeg== (base64-encoded AES key)
REACT_APP_ENCRYPTION_VECTOR: e0ErRXNQcHRIMFYzcy9FQg== (base64-encoded AES IV)
Every payload encrypted using these keys is retroactively decryptable. Any traffic captured during the access period, any data at rest encrypted with these values, and any future traffic using the same keys are fully readable by the actor until rotation is confirmed.
Decrypt Endpoint Misconfiguration
A live decryption oracle endpoint was discovered and exploited:
POST https://uamapi-prod.apps.non-core-prod.sterlingbank.com
/api/Cryption/api/cryption/decryptResponse
Accepts: encrypted ciphertext payload
Returns: plaintext
Authentication: none effective, accepted possessed tokens
This endpoint functioned as a decryption oracle independent of key possession, providing a second path to plaintext. Combined with the hardcoded keys, two independent cryptographic bypass routes existed simultaneously.
API Access Control Failures
Employee Directory and Broken Authorisation
| Parameter | Detail |
| Endpoint | GetUserByUsername/{username} |
| Expected | Scoped bearer token, role enforcement, rate limiting |
| Actual | No rate limiting. Enumeration possible with any possessed token. |
| Dump V1 | 2,215 full employee records (UUID, email, staffId, dept, branch, apps, permissions, supervisor) |
| Dump V2 | 2,237 records enriched with mobile numbers and personal titles |
| users.xlsx | 3,009 records full IAM export including all active and pending accounts |
Temenos T24 SOAP API: Overprivileged Service Account
The actor called Temenos SOAP API functions directly from within the cluster using a service account credential obtained during earlier enumeration. Customer-level data segregation was not enforced.
| API Function | Data Returned |
| getAccountFullInfo | NUBAN, currency, account type, balance, BVN, branch code, account category |
| getStatement | Full transaction history, date, amount, remarks, TRAID, balance after each transaction |
| getLastNTransaction | Recent transactions with counterparty names and reference numbers |
| getIndivCustomer | Individual customer profile |
| GetCustomerAllFields | Complete customer record including all field values |
| getActiveLoans | Loan portfolio: product name, outstanding balance, arrangement ID, repayment terms |
Verified from Dump V3 and V4 source files: transaction data dated March 20–23, 2026, confirming real-time access to live production data.
Named counterparties visible in transaction remarks: Samuel Oga, Lawal Nurain, Musa Tukur Mohammed.
Credit Bureau Integration Risk
Sterling Bank’s systems are integrated with the Credit Risk Central (CRC) bureau via an API accepting a BVN and returning a full consumer credit profile. The actor accessed this integration using credentials obtained from the compromised environment.
CEO Credit Profile: Verified from Source File
| Field | Value |
| Bureau | CR (Credit Risk Central) |
| Date generated | 2026-03-23T03:41:26 |
| BVN | 2*********9 |
| Smart score entries | 10 registry entries across bureau system, scores 736–746 |
| Total credit accounts | 17 (Sterling Bank Plc, Polaris Bank Limited) |
| Active secured loan 1 | ₦39,000,000 limit / ₦18,509,472 outstanding |
| Active secured loan 2 | ₦251,000,000 limit / ₦205,759,734 outstanding |
| Active overdraft facilities | 3 × ₦2,000,000 + 3 × ₦20,000 |
| Total active credit exposure | > ₦290,000,000 |
The CRC integration is not specific to Sterling Bank. Any Nigerian bank or fintech with a similar bureau integration and a compromised service account faces identical exposure. A valid BVN obtainable from any extracted customer or employee record is sufficient to query a full credit profile.
Cardinal Stone Partners Compromise
Access Method
The actor pivoted from Sterling Bank’s network into Cardinal Stone Partners’ infrastructure.
The most probable vector is a shared network segment or directly routable connection between Sterling Bank’s Kubernetes pod network and Cardinal Stone’s hosting environment, consistent with the described majority stakeholder relationship.
Full phpMyAdmin administrative access was obtained, unrestricted SQL execution, schema browsing, data export, and user management.
Database Schema
Tables confirmed from phpMyAdmin screenshots:
accreditation account_lookup_log clients
corporates declined_clients failed_jobs
investor_bank_details investor_stock_brokers migrations
permission_role register_details shareholder_records
stock_brokers banks contacts
Verified Institutional Exposure
| Entity | Relationship |
| FirstPensionCustodian | Data present in Cardinal Stone database |
| DiamondPFC | Data present in Cardinal Stone database |
| UBAGROUP | Data present in Cardinal Stone database |
| Cardinal Stone administrators | Named individuals with hashed passwords confirmed via LinkedIn cross-reference |
Indicators of Compromise
Network IOCs
| Indicator | Type | Context |
| 206.217.216.145 | IPv4 | Actor C2/staging. Exploit source. Download host for dec_brute.js and dec_logs.js. |
| 152.32.180.243 | IPv4 | Sliver C2 MTLS endpoint, port 443. |
| 196.41.84.199 | IPv4 | Sterling Bank victim host (pilot environment, initial foothold). |
Host IOCs
| Indicator | Type | Context |
| ACCESSIBLE_OUTLAY | Sliver session name | Initial foothold session on enf-fe-pilot-6c5c9f48b |
| DAMP_SHIRT | Sliver session name | Second compromised host, Tomcat-based pod |
| dec_brute.js | Filename | Custom decryption tooling downloaded from C2 |
| dec_logs.js | Filename | Custom log decryption tooling downloaded from C2 |
| /tmp/dec_brute.js | File path | Actor staging path on compromised host |
| /tmp/dec_logs.js | File path | Actor staging path on compromised host |
| /tmp/uam_swagger.json | File path | Swagger API dump staged locally on compromised host |
Domain and Host IOCs
| Indicator | Type | Context |
| enf-pilot.sterling.ng | Hostname | Initial access target — CVE-2025-55182 |
| uamapi-prod.apps.non-core-prod.sterlingbank.com | Hostname | UAM API host decrypt endpoint, Swagger, all user APIs |
| enf-fe-prod-5568f9dbc6-jkc5j | Pod name | Production frontend pod lateral movement target |
| enf-fe-pilot.apps.non-core-prod.sterlingbank.com | Hostname | Pilot frontend OpenShift route |
MITRE ATT&CK Mapping
| Technique | ID | Detail |
| Exploit Public-Facing Application | T1190 | CVE-2025-55182 against enf-pilot.sterling.ng |
| Command and Scripting Interpreter | T1059 | Node.js scripts for decryption and enumeration |
| C2 Encrypted Channel (MTLS) | T1573.002 | Sliver MTLS on port 443 to 152.32.180.243 |
| Account Discovery | T1087 | GetUserByUsername AD enumeration, no rate limiting |
| Unsecured Credentials | T1552 | Hardcoded AES keys in Next.js bundle |
| Data from Information Repositories | T1213 | Swagger docs, activity logs, Temenos SOAP APIs |
| Exfiltration Over C2 Channel | T1041 | Data returned via Sliver sessions |
| Lateral Movement Internal | T1534 | Sterling Bank → Cardinal Stone Partners pivot |
Root Cause Analysis
Five distinct, independent failures, each sufficient individually to prevent or significantly limit the breach:
- Unpatched CVE on internet-facing host. CVE-2025-55182 was publicly known and patched. Absence of a vulnerability management process covering non-production environments permitted the initial foothold.
- Development builds in production. Angular dev servers (port 4200, four instances) and Vite dev server (port 5173) running in the production cluster. CI/CD pipeline did not enforce production build requirements.
- Secrets in code. REACT_APP_ENCRYPTION_KEY and REACT_APP_ENCRYPTION_VECTOR hardcoded in Next.js JavaScript bundle. Cryptographic material must be managed via a secrets manager with runtime injection and never stored in code.
- Broken API access controls. GetUserByUsername with no rate limiting. Activity log endpoint accessible with possessed tokens. Temenos SOAP APIs callable without customer-level data segregation. Systematic absence of API security testing.
- phpMyAdmin exposure. Cardinal Stone’s phpMyAdmin accessible from a network segment reachable from Sterling Bank’s compromised environment. phpMyAdmin in production is a known critical-risk configuration. Implicit network trust between affiliated institutions was not reviewed.
Contributing factor: no network detection: Nine days elapsed between initial access (March 18) and public disclosure (March 27) with no evidence of detection. Sliver’s MTLS beacon on port 443 evaded detection, indicating absence of egress TLS inspection or container-aware EDR.
Regulatory Analysis
Nigeria Data Protection Act 2023
| Obligation | Status |
| 72-hour NDPC notification | TRIGGERED. Breach publicly posted March 27. No NDPC notification published as of March 29. |
| Appropriate technical security measures | BREACHED. Unpatched CVEs, hardcoded keys, broken API controls, dev builds in production. |
| Customer notification | NOT FULFILLED. No public advisory to 900,000 affected data subjects. |
| Potential penalty | Up to 2% of annual gross revenue or ₦10,000,000 per violation category under NDP Act. |
| Regulatory Response | Investigation announced by the NDPC on April 5th 2026 |
CBN Cybersecurity Framework (2022)
The CBN’s Risk-Based Cybersecurity Framework and Guidelines for Financial Institutions requires licensed banks to maintain programmes covering vulnerability management, patch management, incident detection and response, and third-party risk management.
The documented failures are inconsistent with compliance. Significant cyber incidents must be reported to the CBN within defined timeframes. Whether this obligation has been met in parallel with the NDP Act requirement is unknown as of publication.
Recommendations
Immediate
- Rotate all credentials, service account tokens, and API keys across the entire Kubernetes cluster.
- Revoke and reissue REACT_APP_ENCRYPTION_KEY and REACT_APP_ENCRYPTION_VECTOR; audit all JavaScript bundles across all pods for hardcoded secrets
- Take enf-pilot.sterling.ng offline or behind VPN; audit all pilot and staging hosts for internet exposure
- Block 206.217.216.145 and 152.32.180.243 at the perimeter and cloud security group level
- Engage incident response to determine if Sliver implants persist beyond the two identified sessions
- Notify NDPC, the obligation is active; delay increases regulatory exposure
- Take Cardinal Stone’s phpMyAdmin interface offline immediately and rotate all database credentials
Short-term (within 30 days)
- Deploy runtime container security (Falco, Tetragon, or equivalent) detection of Sliver C2 requires visibility at syscall or network layer within containers
- Implement TLS inspection on egress traffic from the cluster. MTLS on port 443 to unknown external IPs is the detection signature for this C2 framework
- Enforce production build requirements in CI/CD pipeline. Block deployment of any pod running ng serve, vite dev, or equivalent dev-mode servers
- Implement secrets management and migrate all application secrets to HashiCorp Vault or equivalent; enforce zero hardcoded secrets policy with pre-commit scanning (truffleHog, gitleaks)
- Apply rate limiting and scope enforcement to all internal APIs.
- Conduct authenticated API penetration test of the full Swagger-documented surface
- Patch all CVEs rated CVSS 7.0+ across all environments including non-production; implement automated scanning with mandatory remediation SLAs
Strategic (within 90 days)
- Implement a threat intelligence programme capable of tracking CVE disclosures relevant to the technology stack, CVE-2025-55182 was available; a basic TI function would have flagged it before exploitation
- Establish a formal vulnerability disclosure policy and bug bounty programme
- Conduct a third-party security assessment of the Temenos T24 API integration layer including authorisation controls, customer data segregation, and service account privilege scoping
- Review all third-party and affiliate network connections for implicit trust; the Cardinal Stone pivot exploited assumed trust; every external network boundary requires explicit verification
- Engage NDPC proactively on a remediation and compliance programme; voluntary cooperation is a mitigating factor in regulatory proceedings
This analysis was produced by Web Security Lab based on independent examination of materials published publicly by the threat actor ByteToBreach on DarkForums.su on March 27, 2026.
All technical findings are derived from actor-published artefacts. No Sterling Bank systems were accessed by WSL at any point. All IOCs are drawn from actor-published screenshots and data dumps.
This report is classified as Public and may be freely shared and reproduced with attribution to Web Security Lab (websecuritylab.org).