Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

SWIFT Discloses Additional Bank Attacks

In a private letter to its members on Tuesday, SWIFT has disclosed that additional cyber attacks have surfaced since its last update in June.

In a private letter to its members on Tuesday, SWIFT has disclosed that additional cyber attacks have surfaced since its last update in June.

There are already known successful attacks against a Bangladeshi bank and an Ecuadorian bank, with a failed attack against a Vietnamese bank. Now, in a letter seen by Reuters, SWIFT is warning, “Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.”

SWIFT has not indicated whether any ‘fraudulent payment instructions’ were successful, nor named the banks concerned. Nevertheless, the organization appears to be using the incidents to increase pressure on its member banks to implement new SWIFT software by a deadline of 19 November.

“All the victims shared one thing in common,” says Reuters: “Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers.” There is no current indication whether the attackers are the same gang that attacked Bangladesh, Ecuador and Vietnam, or copy-cat criminals attracted by the massive theft of $81 million from Bangladesh.

The latest version of SWIFT’s software includes new security features designed to prevent a repeat of the Bangladesh attack. These include technology for verifying the credentials of people accessing a bank’s SWIFT system; stronger rules for password management; and better tools for identifying attempts to hack the software.

SWIFT appears to be ‘threatening’ its members with disclosure of weaknesses and or future attacks if they do not comply. It cannot directly insist on compliance, since the organization is a cooperative owned by the members, and it does not have that remit.

While any increased security is important, some experts believe SWIFT’s actions are not enough. Most of the new controls appear to be perimeter-based. While it’s certainly true that the Bangladesh ‘perimeter’ was not well defended (“The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police” – Reuters), perimeter defenses are not very successful.

Once the attackers have gained a foothold beyond the perimeter, “the bad actors can often do whatever they want and cover up their tracks with ease,” comments Istvan Szabo, product manager and Balabit. “The better method is for participating organizations to monitor their privileged users, build user specific profiles and apply behavior analytics on top of that. Profiles can be obtained from mouse movements, keystroke habits, command usage regularity, users IP / port and protocol in a transparent way if using a proxy based monitoring technology. The habits of every individual user are unique indicators and impossible to copy.”

Advertisement. Scroll to continue reading.

eSentire’s CTO Mark McArdle suggests that these new attacks should not be seen as limited to SWIFT, but representative of a much bigger issue: bad guys attack big organizations through smaller affiliates — and quotes the attack against target via its HVAC supplier as an example. The attraction of SWIFT is that it provides access to some of the world’s largest and best defended banks via much smaller and less defended banks, and is a route that criminals will continue to exploit. 

The SWIFT letter, he said, “isn’t about the spotlight on big banks and their cybersecurity posture; this is a floodlight highlighting the larger, more critical risk, which is the far more prevalent, lucrative target — the smaller banks, hedge funds and alternative asset management firms which circle the globe.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.