Bangladesh Bank Hackers Compromised SWIFT

 

Swift, the global financial network that banks use to transfer billions of dollars every day, has warned its customers it is aware of “a number of recent cyber incidents” where attackers had sent fraudulent messages over its system.

“Swift is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit Swift messages from financial institutions’ back offices, PCs or workstations connected to their local interface to the Swift network,” the group warned customers.

The attackers who stole $81 million from the Bangladesh central bank hacked into software from the SWIFT financial platform that is at the heart of the global financial system, said security researchers at British defense contractor BAE Systems.

The new developments now coming to light in the unprecedented cyber-heist suggest that an essential lynchpin of the global financial system could be more vulnerable than previously understood to hacking attacks, due to the vulnerabilities that enabled attackers to modify SWIFT’s client software.

Deteran told Reuters that it was issuing the software update “to assist customers in enhancing their security and to spot inconsistencies in their local database records."

The software update and warning from Brussels-based SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, come after researchers at BAE, which has a large cyber-security business, told Reuters they believe they discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT client software known as Alliance Access.

BAE said it plans to go public with a blog post about its findings concerning the malware, which the thieves used to cover their tracks and delay discovery of the heist.

The cyber criminals tried to make fraudulent transfers totaling $951 million from the Bangladesh central bank's account at the Federal Reserve Bank of New York in February.

Most of the payments were blocked, but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.

Investigators probing the heist had previously said the still-unidentified hackers had broken into Bangladesh Bank computers and taken control of credentials that were used to log into the SWIFT system. But the BAE research shows that the SWIFT software on the bank computers was probably compromised in order to erase records of illicit transfers.

Deteran reiterated recently that "the malware has no impact on SWIFT’s network or core messaging services."

The SWIFT messaging platform is used by 11,000 banks, and other institutions around the world, although only some use the Alliance Access software, Deteran said.

SWIFT may release additional updates as it learns more about the attack in Bangladesh and other potential threats, Deteran said. SWIFT is also reiterating a warning to banks that they should review internal security.

“Whilst we keep all our interface products under continual review and recommend that other vendors do the same, the key defense against such attack scenarios is that users implement appropriate security measures in their local environments to safeguard their systems,” Deteran said.

Adrian Nish, BAE's head of threat intelligence, said he had never seen such an elaborate scheme from criminal hackers. "I can't think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in," he said. "I guess it was the realization that the potential payoff made that effort worthwhile."

A Bangladesh Bank spokesman declined comment on BAE's findings. A senior official with the Bangladesh Police’s Criminal Investigation Department said that investigators had not found the specific malware described by BAE, but that forensics experts had not finished their probe.

Bangladesh police investigators said last week that the bank's computer security measures were seriously deficient, lacking even basic precautions like firewalls and relying on used, $10 switches in its local networks.
Still, police investigators told Reuters in an interview that both the bank and SWIFT should take the blame for the problems.

"It was their responsibility to point it out but we haven't found any evidence that they advised before the heist," said Mohammad Shah Alamo, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department, referring to SWIFT.

The BAE alert to be published recently includes some technical indicators that the firm said it hopes banks could use to thwart similar attacks. Those indicators include the IPaddress of a server in Egypt the attackers used to monitor use of the SWIFT system by Bangladesh Bank staff.

The malware, named evtdiag.exe, was designed to hide the hacker's tracks by changing information on a SWIFT database at Bangladesh Bank that tracks information about transfer requests, according to BAE.

BAE said that evtdiag.exe was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. It is still not clear exactly how the hackers ordered the money transfers.

Nish said that BAE found evtdiag.exe on a malware repository and had not directly analyzed the infected servers. Such repositories collect millions of new samples a day from researchers, businesses, government agencies and members of the public who upload files to see if they are recognized as malicious and help thwart future attacks.

Nish said he was highly confident the malware was used in the attack because it was compiled close to the date of the heist, contained detailed information about the bank's operations and was uploaded from Bangladesh.

While that malware was specifically written to attack Bangladesh Bank, "the general tools, techniques and procedures used in the attack may allow the gang to strike again," according to a draft of the warning that BAE shared with Reuters.

The malware was designed to make a slight change to code of the Access Alliance software installed at Bangladesh Bank, giving attackers the ability to modify a database that logged the bank's activity over the SWIFT network, Nish said.

Once it had established a foothold, the malware could delete records of outgoing transfer requests altogether from the database and also intercept incoming messages confirming transfers ordered by the hackers, Nish said.
It was able to then manipulate account balances on logs to prevent the heist from being discovered until after the funds had been laundered.

It also manipulated a printer that produced hard copies of transfer requests so that the bank would not identify the attack through those printouts, he said.

Guardian:        Business Insider

 

« US Give Philippines Eyes On The South China Sea
Snowden Intervenes In The Encryption Debate »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Venafi

Venafi

Venafi is a world-class cyber-security company dedicated to protecting machine identities for our hyper-connected digital economy.

VdS

VdS

VdS is an independent safety and security testing institution. Cybersecurity services include standards, audit/assessment and certification for SMEs.

DefenseStorm

DefenseStorm

DefenseStorm is a Security Data Platform that watches everything on your network and matches it to your policies, providing cybersecurity management that is safe, compliant and cost effective.

Haltdos

Haltdos

Haltdos is an AI driven website protection service that secures websites against today's cyber threats.

SCIPP International

SCIPP International

SCIPP’s courses are based on internationally recognized best business practices for security awareness, for both technical and non-technical staff and to comply with regulatory mandates.

Blockchain Slovakia

Blockchain Slovakia

Blockchain Slovakia is a non-profit organization that brings together researchers, developers, entrepreneurs, regulators, investors and the public to support blockchain technology in Slovakia.

CSO GmbH

CSO GmbH

CSO GmbH provide specialist consultancy services in the area of IT security.

QuillAudits

QuillAudits

QuillAudits offers advanced Ethereum, EOS, TRON smart contract audit, blockchain protocol security and formal verification to ensure your platform’s integrity.

Meterian

Meterian

The Meterian Platform is a fuss-free solution to protect you against vulnerabilities in your app’s software supply chain.

SecureDrives

SecureDrives

Passwordless Authentication & Encrypted Data Storage Solutions from SecureDrives. We are enabling organisations to work safely and securely, using technology driven solutions.

Hayes Connor Solicitors

Hayes Connor Solicitors

Hayes Connor Solicitors is a specialist data breach and cybercrime law firm. We act for clients on individual data breaches and also where a group has been compromised as part of a targeted attack.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

Mitigate Cyber

Mitigate Cyber

Mitigate Cyber (formerly Xyone Cyber Security) offer a range of cyber security solutions, from threat mitigation to penetration testing, training & much more.

Stratascale

Stratascale

Stratascale is a consultant, systems integrator, and technology advisor with expertise in Automation, Cloud Ascension, Cybersecurity, Data Intelligence, and Digital Experience solutions.

Awareness Software Limited (ASL)

Awareness Software Limited (ASL)

As Hosting Specialists, Awareness Software offer practical and affordable hosting solutions including backup and disaster recovery and a range of cybersecurity services.

Tracer

Tracer

Tracer (formerly Appdetex) is a next-generation brand protection solution. It constantly finds, analyzes, and stops brand abuse across Web2 and Web3 digital channels.