Last week we all read about the latest financial attack, this time on the Bangladesh Central Bank, in which some $80M were stolen and additional $900M were stopped due to a typo in the beneficary's name.
Here are some notes on this heist talking about remote access, human error and typo.
The human link
First we need to understand that the attck was not a direct attack on the bank infrastructure, but rather an end-user attack. Here the attack targeted specific users of a money transfer system used by central banks - quite similar to a situation where an online banking user is attacked and their account within the bank is emptied. In these sort of attacks, the hackers typically conduct some research on social media, locate specific employees in a corporation they want to target, and then engage. If they fail to compromise the employees of a specific target, they'll go to the next target: so Bangladesh's central bank may have been the first target whose employees got compromised - had they become suspicious, the hackers may have tried other central banks. Alternatively, they may have targeted several central banks in parallel, and we just don't know that yet.
Second point worth mentioning is that banks worldwide are now heavily attacked by RAT Trojans that infect their end-user's PCs; they are trying to put up a good fight but fraudsters still manage to find their ways into the bank's systems.
There's a typo in your name
For the heist to succeed, the hackers had to go through two phases:
- silently monitor the Bank of Bangladesh financial operators' work, so they can understand how the system works and steal their SWIFT access credentials;
- and then conduct the fraudulent money transfers bypassing all security measures
The initial phase of the attack often includes a "spear phishing" campaign that targets specific employees, tricking them into going to an infection site or directly download a malicious payload that has remote access, or RAT, capabilities. Detection of malware is always an issue nowadays: advanced malware has a lot of evasive capabilities that defy signature-based and heuristic-based detection by anti-virus software. The attackers can easily test these capabilities before shipping the payload, checking if their malware is currently detectable, and if so - change it so it won't be. They may also use zero-day vulnerabilities that are still unknown to the security industry.
The second phase occurs once the hackers gained enough information and credentials. In many cases getting a password isn't enough, because the system requires a "what you have" authentication factor such as a smart card that needs to be physically close to the PC, a USB token that needs to be inside the victim's device, or a logical certificate / private key that is present on the victim's computer. This is easily circumvented by the use of RAT, because it allows a remote control of the employee's actual PC. The wire transfer system would see a legitimate request coming from the regular device of the user, with all the necessary credentials. Detection at this point is far more difficult, as the attacker has all the right authentication tokens. In fact the way the heist was stopped after $80m, saving around $900m in additional transfers waiting for approval, is that someone wanted to verify the beneficiary details because the attackers made a typo in the name.
The cash-out process for laundering hundreds of millions of dollars is actually the most difficult part in the entire heist. The cyber criminals need to plan this very carefully, and set up everything in advance. It seems like the cash-out experts who did the money laundering had their infrastructure in the Philippines and Sri Lanka, and it's also more probable for the Bank of Bangladesh to transfer funds to entities within these countries.
What RAT are you suffering from?
We are currently running a survey on remote access trojans and would love to get your input.