BANK CYBER HEIST ANALYSIS
Posted on: 27-Mar-2020
In the wake of recent cyber heist carried out by attackers on Cosmos Cooperative Bank in August 2018, it is necessary to understand the history and anatomy of such attacks which are no longer far and between and hence unignorable.
Government infrastructure, banks and other entities are very closely associated with the financial well being of a nation, and are attractive targets for the attackers for the same reason. Another reason of course is MONEY.
It has been observed in the recent past that these type of attacks, specifically on banks, have become horrifyingly common place, leaving the consumers feeling highly insecure. This paper attempts to understand some subtle and some not-so-subtle reasons behind the Cosmos bank case. Although a lot of content in this paper is based on the news articles published in this regard till date (sources credit in the end section), some of it is speculation to fill in the gaps where the facts are still unknown/undisclosed.
A look at the available history of similar cyber heists carried out against banks is a reasonable way to understand a trend that is soon threatening to become an epidemic in the banking world. These are sure to give bankers in decision making positions countless sleepless nights, understandably so since they are custodians of their customers’ hard earned money. Not to mention the general mayhem and bad PR that comes with this.
Here are some of the very recent cases of such attacks on banks.
1. CENTRAL BANK OF BANGLADESH HEIST
In Feb 2016, $81 million was siphoned off of the Central bank of Bangladesh. The attackers were able to compromise the bank’s SWIFT operations. The attackers were clever enough to time the heist with the weekend in the U.S. This resulted in delayed action from SWIFT and New York Fed and it wasn’t until Monday the 8th of February 2016 that they could get any assistance.
2. NATIONAL BANK OF BLACKSBURG-HEIST NO.1
The National Bank of Blacksburg, in May 2016, fell victim to a phishing malware attack leading to compromise of multiple computers in the bank’s network. Eventually attackers would disable/alter critical anti-theft and anti-fraud parameters. Hundreds of ATMs across North America were used and more than US$569000 were stolen over the 3 days.
What’s to be noted here is that this attack took place over a long weekend.
3. NATIONAL BANK OF BLACKSBURG-HEIST NO.2
Just eight months later, between January 7 and 9 2017 a similar albeit more elaborate heist resulted in a total of US$1,833,984 was stolen. In this heist the hackers also managed to erase all tracks that could have lead to them. Again, it should be noted that this attack too was carried out over the weekend.
4. GLOBEX HEIST
As recently as December 2017, it emerged that hackers had attempted to siphon off nearly US$1 million from Russian state-run bank Globex by funneling the money away via fraudulent SWIFT transactions. The robbery was largely thwarted, however, and only US$100,000 is believed to have been
Cosmos Co-operative Bank Ltd is a 112 year old bank is one of the oldest cooperative banks in India, headquartered in Pune, Maharashtra. It is one of the first co-operative banks in the country to implement Core Banking System (CBS) across the entire network of its then 140 service outlets using Finacle-Infosys Core Banking Software. The Cosmos Bank is operative in 7 States of India, viz., Maharashtra, Gujarat, Madhya Pradesh, Karnataka, Andhra Pradesh, Telangana and Tamil Nadu through its 140 branches. Bank has more than 2 Millions customers and 79,000 shareholders. Their revenue is upwards of USD 1.9 billion.
On August 11 and 13 2018, a group of international hackers broke into the servers of the Bank. Total money stolen was Rs 94 crore.
Cosmos Bank gave a statement saying none of their customer accounts were found to be debited. What is noteworthy is that Cosmos Bank did not get any alert from their core banking system (CBS). It was VISA and SWIFT who alerted the bank about the suspicious transactions, after which the police were informed on August 13, 2018. Here is the timeline of how the events unfolded.
As is evident from the above timeline, the attack was carried out over a weekend . This seems to be consistent with the Modus Operandi of the attackers in similar cases from the recent past.
HOW IT HAPPENED? ATM WITHDRAWALS
- The bank’s internal infrastructure, primarily the ATM infrastructure, were most likely compromised through a malware using a spear phishing campaign.
- Once the malware successfully travelled through the bank’s infrastructure it is possible that it infected the ATM or POS switch.
- The malware severed the connection between the switch and the bank’s Core Banking System (CBS). This enabled the attackers to give instructions and control the response of the ATM infrastructure. The Bank claims that a proxy switch was installed by the attackers.
- The attackers also tampered the balances of some target accounts and allowed unauthorised cash withdrawals from ATMs.
- Designated mules across the world, aided in immediate cash withdrawals upon receiving the signals.
- Since the CBS was completely kept out of loop, none of these withdrawals were recorded or committed to the accounts.
- It is possible that preparation for this activity started months ago. The attackers stole customer data and cloned cards for the theft.
- On August 13, 2018, the malicious threat actor continued the attack against Cosmos Bank likely by moving laterally.
- The Cosmos bank's SWIFT SAA environment Left security officer/Right security officer (LSO/RSO) compromise/authentication was used to send three malicious MT103 to ALM Trading Limited at Hang Seng Bank in Hong Kong amounting to around US$2 million.
WHO DID IT?
Although nothing can be said with certainty as of now, it is being speculated that the North Korean state-sponsored threat group, Lazarus is behind this attack. However, as per our research, there has been no conclusive evidence to indicate this. Additionally, there is no visible chatter about the Cosmos Bank heist on the dark web.
Having said this, it cannot be denied that the Lazarus group could have spawned copycats in the hacker community leading to a similar M.O. The attack bears signature of the Lazarus Group that includes the use of Windows Admin Shares for lateral movement, custom Command and Control (C2) that mimics TLS, adding new services on targets for persistence, Windows Firewall changes and a number of other techniques.
The Bangladesh bank heist has been attributed to the Lazarus group. Here is a brief history and evolution of Lazarus.
WHAT COULD HAVE PREVENTED IT?
The main objective of this paper is to come up with a comprehensive list of Dos and Don’ts that will help banks to avoid these type of situations in the future.
Updates of software and operating systems
This measure, although probably the most basic, is also the most overlooked one. The reasons for this range from sheer negligence to business department’s reluctance to allow a downtime.
Protection of the testing infrastructure
The amount of attention that the test infrastructure gets is extremely wanting. The UAT systems usually are unpatched and at the same time connected to the production systems leading to a potentially dangerous vulnerability. It is highly recommended that the test systems are patched and protected to avoid opening weaknesses in the system.
Application Whitelisting on Bank’s Critical Server
Application whitelisting should be introduced into critical bank servers. This will prevent attackers from installing their remote control tools, monitoring financial transactions, and escalating privileges. It also helps to identify unauthorized attempts to run such malicious applications.
As an additional defense layer, the network can be configured to allow only certain connections to ensure that only applications that are supposed to communicate with each other do so.
Network traffic analysis
Continuous monitoring and regular analysis of network traffic goes a long way in preventing nasty outcomes. In the case where the bank lacks this expertise it is highly recommended that it looks for external expert assistance. This is no longer a matter of choice on the bank’s part.
Having said that, it is important for the banks to understand that outsourcing the monitoring and analysis does not absolve them from the responsibility. Banks should constantly be in touch with the monitoring service providers, understand the threats and take the appropriate corrective and/or preventive measures.
Almost all bank heists seem to have started with an unaware or careless employee clicking on a malicious link.It is highly evident in all the bank heists that the people awareness factor played probably the most important part. User trainings on phishing and other social engineering tactics is a must, no matter how repetitive or boring it is for the employees. Constant reminders about being wary of genuine seeming emails asking for sensitive information or asking the reader to click on links.
It should be borne in mind at all times that the phishers are getting cleverer and more and more sophisticated by the day.
The holiday syndrome
It is worth noting here that the attacks were executed over a weekend and the alerts that otherwise would have been attended to, went completely unnoticed. Banks have to start being extra vigilant over holidays.
Banks should keep an eye out for advisories and tips released by SWIFT from time to time, in the restricted customer section of its main website.
FBI suggestions in their warning
Finally, let’s conclude with various measures that the FBI suggested in their warnings to the banks globally:
- Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.
- Implement application whitelisting to block the execution of malware.
- Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
- Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.
- Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.
- Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.