Yet another SE Asia bank hit by a SWIFT credentials hack

Bank network's quick to blame others, notes El Reg source

Cybercrooks have once again broken into the SWIFT financial transaction network and stolen money from another bank.

The breach – victim and amount looted undisclosed – comes as the fallout from February’s $81m Bangladesh reserve bank cyber-heist continues to spread.

The second robbery was uncovered by investigators looking into the looting of funds held by the central bank of Bangladesh at the Federal Reserve Bank of New York.

The second heist involves an unnamed commercial bank but may have been carried out using similar malware in a follow-up attacks by the same group of attackers, The New York Times reports.

The NYT adds that SWIFT1 is due to warn its members that the two attacks shared common characteristics and were likely part of a “wider and highly adaptive campaign targeting banks”, according to a copy of the warning seen by the NYT.

The working theory is that hackers managed to get their hands on access credentials needed to send messages on the SWIFT secure financial messaging system after either successfully infecting terminals on the network of the targeted bank or by using a corrupt bank insider.

In a statement, SWIFT noted that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks.

Each bank is charged with maintaining the security of its links into SWIFT. In the latest case – as in the Bangladeshi case before it – cybercrooks compromised login credentials that allowed them to send fraudulent messages instructing bank transfers.

The integrity of the SWIFT system as a whole was not compromised. “As a matter of urgency, we remind all customers again to urgently review controls in their payments environments,” SWIFT warns.

A path well trodden

The Bangladeshi case was only unprecedented in terms of the huge loss. Similar credential theft frauds have happened before.

In the latest case, cyber-thieves used a strain of malware that targeted a PDF reader that the bank used to confirm payments. The malicious code was designed to manipulate these PDFs to “remove traces of the fraudulent instructions.”

In a statement issued on Friday, SWIFT reiterated its previous assurances that neither the latest fraud nor the Bangladeshi case had any “impact on SWIFT network, core messaging services or software”, and once again pointed the finger of blame towards the affected banks.

In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.

The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.

Data Breach Today reports that the new victim is a Vietnamese bank but that remains unconfirmed. To reiterate, SWIFT isn’t saying which bank is affected nor is it quantifying the loss it suffered.

A Register contact who has experience in designing networks that include SWIFT terminals said that the banks affected by the latest run of breaches are likely the authors of their own misfortune.

“SWIFT's whole model is based on being extremely secure,” he explained. “You'll notice that in both of these cases, the comments from SWIFT are quick to mention that it was done using stolen credentials and insider knowledge, but that the security and integrity of the SWIFT infrastructure is fine.”

“That is, they are blaming the organisations that were attacked. They don't want the institutions that connect to the network to lose confidence in its inherent security. Billions of dollars in transactions cross this network daily,” our source added.

Other security experts have argued that banks that link to the SWIFT network should roll out two-factor authentication, a commonly used security mechanism that means that passwords alone are insufficient to access sensitive systems (a hardware token or registered smartphone is also needed). Our techie cautioned that introducing these type of controls might not be as straightforward as some are keen to suggest.

“The end terminal is the most vulnerable part of the system, so this makes sense as as attack method,” our contact told El Reg. “That's why good security practices put that device on some sort of internal DMZ, firewalled off from everything else. I would recommend that for any internal connection to a third party network, even more so for one that is so sensitive.”

“The attackers in both of these incidents appear to have used stolen user credentials. Some people have already started blaming SWIFT for not using some sort of two-factor authentication. But that would be awkward for many of their clients because at least some of the transactions are automated, initiated by a computer program rather than a person,” he concluded.

Matthias Maier, a security evangelist at Splunk, argued that banks should redouble their efforts to monitor their networks for the presence of malware, particularly a strain linked by security researchers at BAE Systems to the Bangladeshi hack.

“The second cyber attack revealed by Swift in as many months is a wake-up call for banks across the globe,” Maier said. “These are not isolated incidents. Serious investigations must follow given the custom built nature of the malware used in these attacks. It appears to have been created by someone with an intimate knowledge of how the SWIFT software works as well as its business processes, which is cause for concern. However, basic system monitoring at the bank would have stopped this at the server endpoint by tracking system changes in real time, triggering alerts to analysts.”

“Other banks participating in the SWIFT network now need to compare the indicators of compromise shared by BAE Systems with the data generated by their own environment to understand whether or not they have also been affected and how to respond effectively,” he added.


1SWIFT is the Society for Worldwide Interbank Financial Telecommunication

Other stories you might like

  • Not enough desks and parking spots, wobbly Wi-Fi: Welcome back to the office, Tesla staff
    Don't worry, the tweetings will continue until morale improves

    Employees at Tesla suffered spotty Wi-Fi and struggled to find desks and parking spots when they were returned to work at the office following orders from CEO Elon Musk.

    Most tech companies are either following a hybrid work model or are still operating fully remotely. Musk, however, wants his automaker's staff back at the office working for at least 40 hours a week. Those who fail to return risk losing their jobs, he warned in an internal email earlier this month.

    "Everyone at Tesla is required to spend a minimum of 40 hours in the office per week. Moreover, the office must be where your actual colleagues are located, not some remote pseudo office. If you don't show up, we will assume you have resigned," he wrote.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • 5G C-band rollout at US airports slowed over radio altimeter safety fears
    Well, they did say from July, now they really mean from July 2023

    America's aviation watchdog has said the rollout of 5G C-band coverage near US airports won't fully start until next year, delaying some travelers' access to better cellular broadband at crowded terminals.

    Acting FAA Administrator Billy Nolen said in a statement this month that its discussions with wireless carriers "have identified a path that will continue to enable aviation and 5G C-band wireless to safely co-exist."

    5G C-band operates between 3.7-3.98GHz, near the 4.2-4.4GHz band used by radio altimeters that are jolly useful for landing planes in limited visibility. There is or was a fear that these cellular signals, such as from cell towers close to airports, could bleed into the frequencies used by aircraft and cause radio altimeters to display an incorrect reading. C-band technology, which promises faster mobile broadband, was supposed to roll out nationwide on Verizon, AT&T and T-Mobile US's networks, but some deployments have been paused near airports due to these concerns. 

    Continue reading
  • IBM settles age discrimination case that sought top execs' emails
    Just days after being ordered to provide messages, Big Blue opts out of public trial

    Less than a week after IBM was ordered in an age discrimination lawsuit to produce internal emails in which its former CEO and former SVP of human resources discuss reducing the number of older workers, the IT giant chose to settle the case for an undisclosed sum rather than proceed to trial next month.

    The order, issued on June 9, in Schenfeld v. IBM, describes Exhibit 10, which "contains emails that discuss the effort taken by IBM to increase the number of 'millennial' employees."

    Plaintiff Eugene Schenfeld, who worked as an IBM research scientist when current CEO Arvind Krishna ran IBM's research group, sued IBM for age discrimination in November, 2018. His claim is one of many that followed a March 2018 report by ProPublica and Mother Jones about a concerted effort to de-age IBM and a 2020 finding by the US Equal Employment Opportunity Commission (EEOC) that IBM executives had directed managers to get rid of older workers to make room for younger ones.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Behold this drone-dropping rifle with two-mile range
    Confuses rather than destroys unmanned aerials to better bring back intel, says Ukrainian designer

    What's said to be a Ukrainian-made long-range anti-drone rifle is one of the latest weapons to emerge from Russia's ongoing invasion of its neighbor.

    The Antidron KVS G-6 is manufactured by Kvertus Technology, in the western Ukraine region of Ivano-Frankivsk, whose capital of the same name has twice been subjected to Russian bombings during the war. Like other drone-dropping equipment, we're told it uses radio signals to interrupt control, remotely disabling them, and it reportedly has an impressive 3.5 km (2.17 miles) range.

    "We are not damaging the drone. With communication lost, it just loses coordination and doesn't know where to go. The drone lands where it is jammed, or can be carried away by the wind because it's uncontrollable,"  Kvertus' director of technology Yaroslav Filimonov said. Because the downed drones are unharmed, they give Ukrainian soldiers recovering them a wealth of potential intelligence, he added.  

    Continue reading

Biting the hand that feeds IT © 1998–2022