Yet another SE Asia bank hit by a SWIFT credentials hack

Bank network's quick to blame others, notes El Reg source

Cybercrooks have once again broken into the SWIFT financial transaction network and stolen money from another bank.

The breach – victim and amount looted undisclosed – comes as the fallout from February’s $81m Bangladesh reserve bank cyber-heist continues to spread.

The second robbery was uncovered by investigators looking into the looting of funds held by the central bank of Bangladesh at the Federal Reserve Bank of New York.

The second heist involves an unnamed commercial bank but may have been carried out using similar malware in a follow-up attacks by the same group of attackers, The New York Times reports.

The NYT adds that SWIFT1 is due to warn its members that the two attacks shared common characteristics and were likely part of a “wider and highly adaptive campaign targeting banks”, according to a copy of the warning seen by the NYT.

The working theory is that hackers managed to get their hands on access credentials needed to send messages on the SWIFT secure financial messaging system after either successfully infecting terminals on the network of the targeted bank or by using a corrupt bank insider.

In a statement, SWIFT noted that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks.

Each bank is charged with maintaining the security of its links into SWIFT. In the latest case – as in the Bangladeshi case before it – cybercrooks compromised login credentials that allowed them to send fraudulent messages instructing bank transfers.

The integrity of the SWIFT system as a whole was not compromised. “As a matter of urgency, we remind all customers again to urgently review controls in their payments environments,” SWIFT warns.

A path well trodden

The Bangladeshi case was only unprecedented in terms of the huge loss. Similar credential theft frauds have happened before.

In the latest case, cyber-thieves used a strain of malware that targeted a PDF reader that the bank used to confirm payments. The malicious code was designed to manipulate these PDFs to “remove traces of the fraudulent instructions.”

In a statement issued on Friday, SWIFT reiterated its previous assurances that neither the latest fraud nor the Bangladeshi case had any “impact on SWIFT network, core messaging services or software”, and once again pointed the finger of blame towards the affected banks.

In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.

The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.

Data Breach Today reports that the new victim is a Vietnamese bank but that remains unconfirmed. To reiterate, SWIFT isn’t saying which bank is affected nor is it quantifying the loss it suffered.

A Register contact who has experience in designing networks that include SWIFT terminals said that the banks affected by the latest run of breaches are likely the authors of their own misfortune.

“SWIFT's whole model is based on being extremely secure,” he explained. “You'll notice that in both of these cases, the comments from SWIFT are quick to mention that it was done using stolen credentials and insider knowledge, but that the security and integrity of the SWIFT infrastructure is fine.”

“That is, they are blaming the organisations that were attacked. They don't want the institutions that connect to the network to lose confidence in its inherent security. Billions of dollars in transactions cross this network daily,” our source added.

Other security experts have argued that banks that link to the SWIFT network should roll out two-factor authentication, a commonly used security mechanism that means that passwords alone are insufficient to access sensitive systems (a hardware token or registered smartphone is also needed). Our techie cautioned that introducing these type of controls might not be as straightforward as some are keen to suggest.

“The end terminal is the most vulnerable part of the system, so this makes sense as as attack method,” our contact told El Reg. “That's why good security practices put that device on some sort of internal DMZ, firewalled off from everything else. I would recommend that for any internal connection to a third party network, even more so for one that is so sensitive.”

“The attackers in both of these incidents appear to have used stolen user credentials. Some people have already started blaming SWIFT for not using some sort of two-factor authentication. But that would be awkward for many of their clients because at least some of the transactions are automated, initiated by a computer program rather than a person,” he concluded.

Matthias Maier, a security evangelist at Splunk, argued that banks should redouble their efforts to monitor their networks for the presence of malware, particularly a strain linked by security researchers at BAE Systems to the Bangladeshi hack.

“The second cyber attack revealed by Swift in as many months is a wake-up call for banks across the globe,” Maier said. “These are not isolated incidents. Serious investigations must follow given the custom built nature of the malware used in these attacks. It appears to have been created by someone with an intimate knowledge of how the SWIFT software works as well as its business processes, which is cause for concern. However, basic system monitoring at the bank would have stopped this at the server endpoint by tracking system changes in real time, triggering alerts to analysts.”

“Other banks participating in the SWIFT network now need to compare the indicators of compromise shared by BAE Systems with the data generated by their own environment to understand whether or not they have also been affected and how to respond effectively,” he added.


1SWIFT is the Society for Worldwide Interbank Financial Telecommunication

Biting the hand that feeds IT © 1998–2021