Cybercriminals stole millions of dollars from Bangladesh’s central bank and they managed to cover their tracks by using custom malware that targeted the SWIFT interbank messaging system.
The attackers transferred $101 million from the Bangladesh Bank’s account at the Federal Reserve Bank of New York before their operation was shut down by the financial institution, and $81 million sent to the Philippines are still missing.
It took the bank nearly four days to detect and block the unauthorized payments due to printer and software problems, which appear to have been caused by custom malware designed to interact with the SWIFT Alliance Access software. The malware deleted specific transactions from the SWIFT database, altered transaction amounts, and ensured that confirmation messages that would normally be printed on paper were damaged.
Industry professionals contacted by SecurityWeek commented on the incident, including its implications for the financial industry, the possibility that other proprietary platforms could be targeted in a similar fashion, and the steps organizations should take to prevent these types of breaches.
And the feedback begins…
Ryan Stolte, Chief Technology Officer, Bay Dynamics:
“The Bangladesh heist demonstrates a paradigm shift in how banks are being attacked. Criminals are no longer looking for sensitive customer data they can take outside the organization and sell on the black market. They are now focusing on manipulating business critical applications and proprietary platforms to conduct fraud. They are compromising the integrity of financial systems so that they can fraudulently move money and hide the evidence.
Banks have substantial populations of proprietary software within their infrastructures. Those existing legacy systems were built without an eye on security so with enough time and testing, weak points can likely be found in some of them. Banks historically have been strong in perimeter security. However, once past the outer walls, if a criminal can establish trusted access via theft, hijacking or the escalation of credentials, they have a multitude of options for mobility and stealth. They spend time inside the network, studying the business critical applications and systems, identifying vulnerabilities and then using malware to exploit those weaknesses and manipulate code enabling them to move money outside the network without being detected.
To combat this new kind of attack, banks must first identify which of their applications and systems that, if disrupted, would cause significant damage. Which proprietary platforms are the most business critical and if manipulated could lead to a significant amount of money leaving the company? Banks should then focus on protecting those most critical assets.”
Patrick Wardle, Director of Research, Synack:
“The first interesting thing about this hack is that it was reported the hackers were able to gain initial access via “a cheap internet router with no firewall.” One would assume a central bank would have better security—but apparently that’s not the case here. I think it’s important to realize that once hackers have initial access, it’s pretty much game over. As such, it’s imperative to ensure there are no external weak points in one’s network, because attackers only need to find one such weakness… but this is a well-known security “mantra.”
Clearly, the hackers were well-versed with the SWIFT software; this points to a decent level of sophistication but isn’t all that surprising. Just as (successful) traditional bank robbers are well versed with physical security/systems at banks (breaking vaults, picking locks, etc.), so too are virtual bank robbers with banking software. SWIFT is just like any other software system that can be studied, exploited and subverted. And when millions of dollars are on the line, hackers have that much more of an incentive to gain a deep understanding of such a system—and to write custom malware and exploits for it. Also, custom software systems are often less well-audited or monitored… thus once an attacker gains familiarity with it, it may actually be a fairly “soft” target to subvert.”
Mark Weatherford, Chief Cybersecurity Strategist, vArmour:
“This attack on SWIFT is a harbinger of the possible against other financial systems. Since SWIFT’s messaging services appear to be operating normally, the problem is on the user side – the banking side – where weak security allowed criminals to compromise and use the credentials of authorized users to create SWIFT transaction messages. This attack should be a klaxon alarm for all companies, and not just financial institutions, to review their security programs and implement security controls that light off fireworks whenever unusual activity in authorization and access occurs.
From a strategic perspective, the financial community should be actively trying to understand what other financial systems or platforms could be compromised using this same type of vulnerability. If simply compromising user credentials can reap this kind of harvest, every banking end-point in the world is a potential attack vector. Truly a 99.99% secure equals 100% vulnerable scenario because it’s impossible to secure all the user end-points. This means adding additional layers of authentication to make it harder for criminals.
While this event is incredibly serious, the greater harm is on the integrity and trust in financial institutions. While technology is the root cause, it’s actually a risk to the broader worldwide financial framework because cybersecurity strategies are front and center impacting corporate strategies and the trust of customers in their financial institutions.”
Garry McCracken, VP of Tech, WinMagic:
“The hacking team could have also targeted the bank’s ATMs with the malware, performing a popular attack called malware injection. In this attack, the attacker takes the ATM offline, injects their own special software to monitor and control the ATM, allows it to come back online and then at the optimal time revisits the ATM to use their secret malware code to jackpot the machine.
ATMs make for an attractive target in a bank heist because hackers can attack and loot in-person under the pretense of a simple ATM withdrawal, at which point the cash becomes harder to follow.”
Stephen Cobb, Senior Security Researcher, ESET:
“Though SWIFT has made software improvements in response to this breach, it appears the organization has an urgent need to audit member security in a meaningful way. The compromise of accou
nt credentials at Bangladesh central bank, essentially a set of the keys to the SWIFT system, and the poor detection of the malicious network activity that ensued, clearly point to a need for better enforcement of controls.”
Troy Gill, Manager of Security Research, AppRiver:
“This attack was most likely carefully, and deliberately planned to target the Bangladesh Bank, or another bank using SWIFT. Regardless of if the vulnerability is a direct tie to the SWIFT system itself, or due to the implementation of SWIFT by the Bangladesh Bank, the fact remains that the attacker was able to commit a massive theft by leveraging SWIFT, which points to customized malware. Customized malware can range from something as sophisticated as Stuxnet, which had huge number of zero-day exploits, to exploiting a known vulnerability in the system that the attacker is aware of, like an unpatched security vulnerability (such as the recent Flash security update). Utilizing old fashioned social engineering, attackers glean this type of information for an attack by simply calling an employee, pretending to be the help desk asking for some system information (nothing threatening like passwords).
“Because they are not ‘one size fits all,’ customized malware attacks are often very successful when exploiting their targeted environment. Once the tailored malware has been built, it is a matter of getting on the target’s perimeter. Because of the reward is often so high (to tune of $81 million in some cases), we can expect that similar customized attacks are underway right now, and will continue into the future.”
Jeff Wichman, Managing Security Consultant Incident Management, Optiv:
“The fact that the attackers targeted a SWIFT vulnerability should be evidence enough that software vendors, service providers, or companies that are deploying software need to take information security seriously. Proprietary software is no more or less secure than open-source or off-the-shelf software. If an organization deploys any type of software into an insecure environment, it will not take long for attackers to manipulate it.
It is clear from the latest reports that the Bangladesh Central Bank was not following even the most basic information security practices. I think it is important for service providers with proprietary software (in this case SWIFT) to provide requirements for a secure deployment of their software. It is also critical for service providers to follow the deployment with validation that an organization is actually implementing the software in a secure environment. Attackers are going to follow the money. If it means they need to learn some proprietary application or code, they will.”
Jayendra Pathak, Chief Architect, NSS Labs:
“This is probably the first known instance where the SWIFT messaging platform is targeted to alter the records inside the SWIFT Alliance Access software. This is a bigger worry for financial institutions down the road. As more of these attacks surface, we will see a surge in copycat activities and authenticity of the transactions cannot be reliably determined. Malware impacting SWIFT could have been delivered through spear-phishing, which is one of the reasons why it’s important to understand your exposure.”
Matt Devost, CEO of FusionX and managing director at Accenture:
“This is another instance in which sufficiently motivated attackers were able to study the business processes and application layer in use by SWIFT in order to engage in highly successful fraud activity.
This type of attack further demonstrates the necessity of industry standard best practices such as appropriate network segmentation and enclaving, good system hygiene, and robust identify and access management for key system to include the use of two-factor authentication for critical applications.”
Todd Weller, VP of Corporate Development, Hexis Cyber Solutions:
“SWIFT is a messaging platform (network) that connects over 11,000 financial institutions. I don’t think the fact that it is a priority network is relevant here. For example, if I’m an attacker and I gain access to ACME Co.’s network, I’ve gained access to their proprietary network that provides access to their applications and data. Applications and data on a network are accessed through software applications. In the case of SWIFT, financial institutions connect via its Alliance Access server software. Like any piece of software there are the potential for the software to have vulnerabilities that have the potential to be exploited.
In this particular case, I think that going after a business is less about what appear to be similar tactics, techniques and procedures of many more targeted attacks but rather more about a bigger bang for the buck. Being able to generate $100 million with a single attack has a much higher return for attackers and is more efficient than trying to monetize 100 million health care records.”
Jonathan Cogley, Founder and CTO, Thycotic:
“The Bangladesh Bank incident is only the tip of the iceberg. The bank was ill prepared for such an attack and made for easy pickings. The $81 million payout was likely achieved with only a few months of work. With those economics, this is going to be a new trend. Who is likely to be the target?
Financial institutions in the United States partner with law enforcement and national defense cybersecurity infrastructure to obtain threat intelligence data, expert advice and hire top talent to protect themselves. Smaller financial institutions in other countries with less government support and weaker infrastructure will be the first target – they are big enough to yield millions in a possible windfall but lack the necessary defenses. This is just your typical outrun your friend when being chased by a lion scenario. The weaker individuals in the herd will be the first to go. But, over time, the tactics will be improved and the bigger animals may fall too.”
Steven Rogers, CEO, Centripetal Networks:
“This targeted attack on Bangladesh Bank’s financial infrastructure is just the latest example of a targeted, persistent threat. Attackers use a number of methods to gain access to the network, map out and discover high value resources in the network, and then develop and deploy malware to exploit the bank’s systems. This doesn’t happen overnight; it can often take months to get to this point.
“With the large dwell time inside the network, and little visibility to the adversary, more of these attacks are likely. Due to the lucrative gains from these attacks, criminal organizations are employing highly skilled developers to defeat these systems.
“Intelligence suggests that these attackers are known, and likely being tracked by commercial and community sources. Leveraging this intelligence wou
ld enable the bank to gain visibility to the threats in a time period where they can take action and prevent the large scale loss. This should serve as yet another wake up call to those who aren’t sharing and consuming intelligence from their respective communities.”
Chris Wysopal, co-founder and CTO, Veracode:
“This attack looks to have been so effective because it simultaneously exploited users and applications, which are the two most critical assets that financial institutions need to lock down to adapt to our increasingly connected world. This combination enabled the scale of the theft; user credentials allowed for the first step of inserting fraudulent messages, and the manipulation of the software allowed the attackers to avoid detection for some time. Consequently, what otherwise might have just been a “smash and grab” job was transformed into a sustained racket.
For Bangladesh’s central bank and others affected, the message is clear: the attack surface is much larger than the institution itself. Know exactly which third-party services like SWIFT are in use across the organization and decide how to manage them based on a comprehensive understanding of the security that is built into these applications. For the developers of SWIFT, it’s now apparent they could have done a better job of preventing the bypass of authorization checks in order to stop direct manipulation of data in the SQL database. Better anti-tampering protections built into SWIFT’s software could have also been effective. Software of such high business impact needs extraordinary integrity checking.”
Ori Eisen, founder and CEO, Trusona:
“We should assume that other platforms are either already compromised and we did not discover it, or that it’s just a matter of time before the e-disaster occurs. Stealing money is just the tip of the iceberg. Should rogue elements hack a nuclear power plant, water treatment plant, a dam, electric grid and so on – the damage could be catastrophic.
Cybersecurity professionals should gravitate towards using the best tools and technology available to them, and work with vendors and practitioners who will stand shoulder to shoulder with them in the cyber-trenches. In a perfect world, cybersecurity professionals would protect their most sensitive assets with vendors that back their products, provide a guarantee and even insurance.”
Chris Jacob, Global Director of Threat Intelligence Engineers, ThreatQuotient:
“The recent heist of $81 million, and the sophistication employed by the malware to cover the tracks of the perpetrators further exposes the lengths criminal organizations are willing to go for the big payout. The amount of reconnaissance and technical research required to exploit a proprietary system such as SWIFT is impressive, and brings into question the amount of risk often overlooked in other such systems. What it also brings into question is whether this was in fact a traditional exploit or more of a social engineering attack or even an insider threat.
While the work performed by the IR team has turned up some excellent insight, I think enterprises need to start to adopt the same sort of intel trade-craft in preemptive security. Global intelligence organizations and law enforcement groups long ago saw the value in using investigative skills to not only solve the crimes, but also prevent them.”
Bob Hansmann, Director of Security Technologies, Forcepoint:
“As financial and other common targets of cybercrime have strengthened their defenses, they’ve become more costly to breach. Attackers have learned to look for more vulnerable third parties, such as the HVAC vendor whose compromise allowed hackers to breach Target in 2013. Until the Bangladesh central bank investigation is further progressed, we will not know if it was chosen due to an available system vulnerability or an insider who knowingly or unknowingly supported the attack. Given that the majority of recent attacks are attributed to “insiders”, the latter is definitely a possibility.
Systems such as SWIFT are the most enticing given the economics of having access to multiple victims through a single breach, such as the Heartland Payment system breach in 2008, where credit cards from 650 different financial institutions were compromised. And, as with most major breaches in recent years, remaining undetected is key to the attack’s success. Luckily, with more complete deployments in Data Loss Prevention (DLP), and growing investment in User Behavior Analytic (UBS) solutions, the “dwell time” (the time an attacker is within the network) of these elusive breaches is being dramatically reduced.”