Search This Blog

Friday, May 13, 2016

Bangladesh Heist - Programmatic Issues (Week 9)

The Bangladesh Bank Heist is one of the largest amounts of money stolen from a bank at once in history, $81 million. In February 2016, the attacker(s) obtained credentials and then initiated dozens of requests from the Federal Reserve Bank of New York to move money from Bangladesh to accounts in the Philippines and Sri Lanka. The transactions were stopped because the attacker(s) made a spelling typo, “foundation” as “fandation,” which caused a routing bank to question the Bangladesh Bank transactions. This error was the saving grace between $81 million to $1 billion. Initial investigation into this incident determined that gaining access to the Bangladesh Banking System required little effort based on vulnerabilities in programmatic policies. The Bangladesh Bank didn’t implemented basic fundamental network architecture such as implementing a firewall and the router that connected to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) global payment network appeared to be inadequate from a security and functional standpoint because the device itself or configuration of it didn’t allow logging of traffic based on cost (Beck, 2016).

Early in the investigation SWIFT indicated that the attack was related to an internal operational issue at Bangladesh Bank and that SWIFT's core messaging services were not compromised. It appears that the Bangladesh Bank focused more on physical security than the security of logical access. The SWIFT room is roughly 12 feet by 8 feet that is window-less located on the eight floor of the bank's annex building in Dhaka. There are four servers and four monitors in the room. All transactions from the previous day are automatically printed from a printer in the room. It wasn’t till after the initial incident that SWIFT officials advised the bank to upgrade the switches because it was old. Furthermore, it appears that the SWIFT system at the Bangladesh Bank is part of the bank network instead of it segregated to reduce lateral movement by the attacker(s) (Quadir, 2016).

SWIFT is a cooperative owned by 3,000 financial institutions and the messaging platform is used by 11,000 banks and other institutions around the world. In further investigation of the incident up to April, 2016, SWIFT has indicated that the global financial system could be more vulnerable than previously understood due to the vulnerabilities that enabled the attacker(s) to modify SWIFT’s client software. The client software was attacked by malware dubbed “evtdiag.exe”. This malware was designed to hide the attacker(s) tracks by changing information about transfer requests on a SWIFT database at Bangladesh Bank and the malware was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. Once the malware established a foothold; it delete records of outgoing transfer requests from the database, intercept incoming messages confirming transfers, manipulate account balances on logs, and manipulated the printer that produced hard copies of transfer requests so that the bank would not identify the attack through those printouts (Finkle, 2016).



For a more detail on the intricacies of the malware see http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html?utm_medium=email&utm_source=flipboard.

In continued investigation through May 13, 2016, there is further evidence backing my initial assessment that the root cause were programmatic failures. The country’s law enforcement agency indicated that technicians with the network introduced weaknesses when it was first connected to Bangladesh’s first real-time gross settlement (RTGS) system last year. The technicians missteps include: going against security protocols such as  “simple password”; established a wireless connection with remote access to computers in the locked SWIFT room; linked the RTGS 5,000 publicly accessible central bank computers to SWIFT; failed to disconnect a USB port on the SWIFT system; use of a rudimentary old switch they had found unused in the bank; and failure to implement a firewall between RTGS and the SWIFT room. Furthermore, it was the responsibility of SWIFT to check for weaknesses once they had set up the system, yet artifacts haven’t been produced to show that this action has been conducted (Brook, 2016). 

On May 12, 2016, SWIFT stated that it had been hit by another malware attack on its systems. SWIFT is urging customers to review controls in their payments environments, messaging, and e-banking channels. This includes everything from employee checks to password protection to cyber defense. The new malware involves the PDF reader that banks use to open SWIFT messages, which are sent to financial institutions telling them what money to send where. The experts believe this new discovery his not a single occurrence, but part of a wider and highly adaptive campaign where the attacker(s) clearly exhibit a deep and sophisticated knowledge of specific operational controls (Smith, 2016).

BAE Systems has been conducting the investigation on this incident since the beginning. As of today, May 13, 2016, BAE Systems has linked this attack to the November 2014 Sony hack. There are similarities in the attacks that include: names of the programming elements and encryption keys which is consistent with a single consistent coder. This is likely to come with scrutiny because the White House has implicated the Sony attack on North Korea.

It is very easy to point to the technical errors, however these missteps can be reduces and caught if the programmatic programs administering cyber security and operation management were in-place. Programmatic functions include basic fundamentals, baseline standards, management support, technical expertise, oversight, continuous monitoring in a for of formal and informal reviews. The security posture in most cases are indicative to the programmatic elements.

References:

Beck, K. (2016, April 22). Hackers steal $81 million from a bank that had no firewall. Retrieved May 13, 2016, from http://mashable.com/2016/04/22/bank-hackers-firewall/?utm_medium=email

Quadir, S. (2016). Bangladesh Bank exposed to hackers by cheap switches, no firewall: Police. Retrieved May 13, 2016, from http://www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO

Finkle, J. (2016). Exclusive: Bangladesh Bank hackers compromised SWIFT software, warning to be issued. Retrieved May 13, 2016, from http://www.businessinsider.com/r-exclusive-bangladesh-bank-hackers-compromised-swift-software-warning-to-be-issued-2016-4?utm_medium=email

Shevchenko, S. (2016, April 25). BAE Systems Threat Research Blog. Retrieved May 13, 2016, from http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html?utm_medium=email

Brook, C. (2016). Police Allege SWIFT Technicians Left Bangladesh Bank Vulnerable. Retrieved May 13, 2016, from https://threatpost.com/police-allege-swift-technicians-left-bangladesh-bank-vulnerable/117937/?utm_medium=email

Smith, M. N. (2016). One of the world's biggest money transfer systems discovered a 'wide and highly adaptive' hacking campaign. Retrieved May 13, 2016, from http://www.businessinsider.com/swift-cyber-attack-hack-malware-wide-highly-adaptive-2016-5?utm_medium=email

Fox News. (2016). Cyber security firm reportedly ties Bangladesh bank heist to Sony attack | Fox News. Retrieved May 13, 2016, from http://www.foxnews.com/tech/2016/05/13/cyber-security-firm-reportedly-ties-bangladesh-bank-heist-to-sony-attack.html?utm_medium=email

No comments:

Post a Comment