Security vendors are pushing for a more comprehensive revamp of the SWIFT international inter-bank financial transaction messaging system beyond a update prompted by an $81m hack against Bangladesh's central bank.
The loss of $81m (part of an attempted $950m heist) in February’s Bangladesh cyber-heist – reckoned to be the biggest ever bank theft – has subsequently been linked to the bank’s use of second-hand $10 switches on its network and a lack of firewalls.
As well as network infrastructure weaknesses, the hackers behind the heist used custom malware specifically created to target SWIFT.
The code even adjusted the SWIFT system’s printed reports to hide fraudulent transfers from the Bangladesh central bank account at the New York Federal Reserve Bank.
The malware linked to the attack was identified by security researchers at BAE Systems.
Hackers lifted the Bangladesh central bank key’s before forging messages on SWIFT. Having obtained valid operator credentials, hackers gained authority to create, approve and submit messages while posing as compromised organisations. The hackers then – posing as the Bangladesh central bank – instructed the transfer of funds to accounts under their control through a series of messages using the compromised credentials.
The whole incident is better understood as the Bangladesh central bank getting hacked rather than SWIFT itself getting hacked.
SWIFT, a co-operative owned by 3,000 financial institutions worldwide, has confirmed the role of malware in the attack without naming the affected organisation.
SWIFT is aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services.
The malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security.
Worryingly the Bangladeshi incident is not a one-off. Other thefts of “operator credentials” have happened before, SWIFT’s statement confirms, without going into numbers.
SWIFT said it had “informed our customers that there are other instances in which customers’ internal vulnerabilities have been exploited in order to stress the importance and urgency of customers’ securing their systems” without going into details. In response to the Bangladeshi incident is has pushed a mandatory security update.
We have made a mandatory software update available to customers to help them enhance their security and to spot inconsistencies in their local database records. The key defence against such attack scenarios, however, remains for users to implement appropriate security measures in their local environments to safeguard their systems – in particular those used to access SWIFT – against such potential security threats. Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems.
Security experts argue that the update, while welcome, fails to go far enough in locking down the critical system. Several experts noted that the wider use of two factor-authentication, among other security controls, is needed to safeguard against future problems.
Stephen Cobb, senior security researcher at security software firm ESET, commented: “Though SWIFT has made software improvements in response to this breach, it appears the organisation has an urgent need to audit member security in a meaningful way. The compromise of account credentials at Bangladesh central bank, essentially a set of the keys to the SWIFT system, and the poor detection of the malicious network activity that ensued, clearly point to a need for better enforcement of controls.”
Security intelligence experts have begun engaging in informed speculation about shortcomings in the SWIFT system that may have been a contributing factor in the hack.
Vitali Kremez, a consultant at security intelligence firm Flashpoint, added: "The malware found in the SWIFT platform appears to operate within the environment running SWIFT’s Alliance software suite, powered by an Oracle Database. Hence, financial institutions that run these specific applications appear to be particularly vulnerable to the exploitation by this threat group.
“As with recently discovered attacks by the ”Buhtrap” group, targeting Russian banks, a lengthy reconnaissance mission was completed prior to submitting transfer orders. For several weeks, hackers silently observed internal processes, learning as much as possible of transaction procedures. Similar to the SWIFT compromise, once transfers were completed, logs were promptly deleted,” he added.
El Reg asked SWIFT to comment directly on Flashpoint’s reading of the situation but is yet to receive a response.
Flashpoint’s Kremez warned that the as yet unidentified hackers behind the Bangladeshi attack put a great deal of effort into planning the attack. Future attempts to steal bank credentials and abuse the SWIFT global financial network by the same group, or similarly capable hackers, seem likely, if history is any guide.
“This malware was custom made for this particular hack. It also demonstrates a high level of knowledge of SWIFT Alliance Access software,” Kremez said. “It also could suggest that the attacker(s) had completely unfettered access to the system for quite some time. They might have monitored and studied the SWIFT software transactions for quite some time. Monitoring and scrutinising logs for anomalies related to the privileged workstations within the SWIFT environment might reveal possible signs of the SWIFT transaction forgery perpetrated by the threat group.” ®