The North Korea-linked hacking group Lazarus is said to have stolen $13.5 million in a recent cyber-attack targeting SWIFT/ATM infrastructure of Cosmos Bank.
The attackers likely gained access to the bank’s systems via spear phishing and/or remote administration/third-party interface and used multiple attack techniques to steal funds. The theft took place between August 10 and 13, 2018, according to researchers from Securonix.
Believed to be backed by the North Korean government, the Lazarus group was said last year to be the most serious threat to banks. This year, the hackers also focused heavily on crypto-currency exchanges and have been involved in numerous attacks against such organizations.
A recent report also revealed that most malware families originating from North Korea can be linked to Lazarus via code reuse.
Now, Securonix security researchers reveal that Lazarus was behind a high-profile ATM/SWIFT banking attack involving the Cosmos Bank, a 112-year old cooperative bank in India and the second largest in the country.
As part of the incident, the hackers are believed to have leveraged a previously established foothold before compromising the bank’s internal and ATM infrastructure on August 10-11.
Likely abusing vendor ATM test software or modifying the currently deployed ATM payment switch software, they set up a malicious ATM/POS switch and hijacked the connection between the central switch and the backend/Core Banking System (CBS).
Next, they made adjustments to the target account balances to enable withdrawals and leveraged the malicious switch to authorize ATM withdrawals for over $11.5 million in tens of thousands o
f domestic and international transactions, using 450 cloned (non-EMV) debit cards in 28 countries.
The malicious switch was used to send fake messages to authorize the transactions and also to prevent details sent from payment switch to reach the CBS (thus, checks on card number, card status PIN, and more were never performed).
On August 13, 2018, likely following lateral movement, the threat actor abused the Cosmos Bank’s SWIFT SAA environment LSO/RSO compromise/authentication to send three international wire transfer requests to ALM Trading Limited at Hang Seng Bank in Hong Kong, amounting to around $2 million.
“The ATM/POS banking switch that was compromised in the Cosmos Bank attack is a component that typically provides hosted ATM/POS terminal support, an interface to core banking solution (CBS) or another core financial system, and connectivity to regional, national or international networks. The primary purpose of the system is to perform transaction processing and routing decisions,” Securonix explains.
By focusing on the bank’s infrastructure instead of basic card-not-present (CNP), jackpotting or blackboxing fraud, the well-planned, highly coordinated attack was able to effectively bypass bank’s layers of defense against ATM attacks.
The security firm attributes the attack to Lazarus, a group known for the use of Windows Admin Shares for Lateral Movement, the use of custom command and control (C&C) servers that mimic TLS, the use of Windows services for persistence, timestomping, and reflective DLL injection, along with other attack techniques.