SWIFT Credential Theft Calls for Advanced Access Controls
According to the New York Times, security researchers have tied the recent spate of digital breaches on Asian banks to North Korea in what appears to be the first known case of a nation using digital attacks for financial gain.
An investigation by Symantec found evidence that a single group of state-sponsored cyber criminals may be responsible for an attack that successfully stole $81 million USD from the Bangladesh central bank, and attempted to steal over $1 million from the Tien Phong Bank in Vietnam. Malware used by the group was also deployed in targeted attacks against a bank in the Philippines.
In addition, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.
Valid User Credential Theft
It has been widely reported that the attackers exploited vulnerabilities in banks funds’ transfer initiation environments, prior to transfer messages being sent over the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. SWIFT has reported that malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network. The modus operandi of the attackers is similar in both cases:
- Attackers compromise the bank’s environment.
- Attackers obtain valid operator credentials that have the authority to create, approve and submit SWIFT messages from customers’ back-offices or from their local interfaces to the SWIFT network.
- Attackers submit fraudulent messages by impersonating the operators from whom they stole the credentials.
- Attackers hide evidence by removing some of the traces of the fraudulent messages.
The notice from SWIFT urges banks to ensure that they have all preventative and detective measures in place to secure their environments.
While details of the initial compromise vector have not been identified, it is safe to assume that the attackers established a foothold with either the help of an insider, or via stolen valid user credentials. This fact leads a network defender to look inside the network for ways to make it harder for the adversary to by interrupting other steps in the attack sequence outlined by SWIFT.
Prevent Advanced Adversary Threat
To prevent an advanced adversary threat such as Lazarus from progressing from Step 1 (initial compromise of user credentials) to Step 2 (acquisition of valid SWIFT operator credentials) requires proper network segmentation. This effectively prevents an adversary from conducting reconnaissance and lateral movement in search of operator credentials. Fine-grained segmentation also separates unprotected segments of the network (workstations) from highly sensitive applications, such as the SWIFT interface.
To prevent an adversary from progressing from Step 2 to Step 3 as outlined in the SWIFT report, it is important for banks to properly authenticate valid operators beyond username and password. Effective authentication must include other variables, such as MFA, time, date, and endpoint validation (MAC address, SID, proper AV and OS, etc.). By increasing the number of variables that must be presented to authenticate a valid SWIFT operator, the bank is, in effect, using a “digital identity” that is extraordinarily difficult to duplicate. This countermeasure interrupts Step 3, impersonating a valid SWIFT operator.
Lastly, to prevent an adversary from progressing from Step 3 to Step 4 in the attack sequence, banks should ensure that proper logging of transactions is conducted or terminate the session between the operator and the SWIFT interface. This would prevent the attackers from thwarting fraud detection controls that are designed to find anomalous activity. It would also ensure proper evidence is available to conduct an investigation after an attack has been detected. It’s very important to maintain effective logs to identify and prosecute potential bad actors within the organization.
Target on Banks and Foreign Wire Transfers Continues
Given the success of the recent bank attacks, it is highly likely that the Lazarus Group and other sophisticated cyber adversaries will continue to target banks and other companies that conduct foreign wire transfers. This presents an urgent need for enterprises is to implement proper security controls, such as user authentication based on digital identity, fine-grained segmentation, and persistent tamper-proof logging. The challenge is to identify cost-effective and easily managed solutions that implement these controls.
You can learn more about one solution in this category – Cryptzone’s AppGate, which enables organizations to adopt a software-defined perimeter approach for granular security control.