Lessons learned from the “SWIFT” Attack

Hello,

Unfortunately, somewhere in the world a big party must be going on. In February hackers successfully compromised a bank connected to the SWIFT Network in Bangladesh, stealing $81 million – as reported by Reuters earlier this week. While the computer system in Bangladesh seems to have missed a number of IT security best practices, it shows that a connected system even if it’s designed to be closed can be compromised by the weakest supplier, compromising the whole system.

Source: BAE SYSTEMS

Source: BAE SYSTEMS

 

It’s mind blowing to see how much subject matter expertise the hackers must have had about the SWIFT System.

Have we seen this attack in our network, too?

The chances that attempts to use the same malware within one of the other 11,000 financial institutes that are participating in the SWIFT network are quite high – and the malware could be reused in the future. As a result these financial institutes need to closely monitor their SWIFT Servers. BAE System did a great job in analyzing malware that was submitted to malware repository websites and indicated a sophisticated process with SWIFT transfers.

Indicators of compromise to review in your machine data for the BAE Systems analyzed malware:

In your Network Traffic / Firewall Data / Proxy:

Command and Control IP Address Geo Location
196.202.103.174 Egypt

In your Endpoint Data / Sysmon / Carbon Black / THOR Scanner:

SHA1 Compile time Size (bytes) Filename
525a8e3ae4e3df8c9c61f2a49e38541d196e9228 2016-02-05 11:46:20 65,536 evtdiag.exe
76bab478dcc70f979ce62cd306e9ba50ee84e37e 2016-02-04 13:45:39 16,384 evtsys.exe
70bf16597e375ad691f2c1efa194dbe7f60e4eeb 2016-02-05 08:55:19 24,576 nroff_b.exe
6207b92842b28a438330a2bf0ee8dcab7ef0a163 N/A 33,848 gpca.dat

Applying best practice system protection for the future

Bildschirmfoto 2016-04-27 um 12.16.45

Attackers might re-compile the binaries so that hash values or filenames are changed. In addition they might use new command and control servers as well. This means just applying the known indicators of such a compromise won’t protect you in the future. To detect early attacks you need to make sure you have applied the SWIFT Servers CIS Top 20 critical security controls (formerly SANS Top 20) within your environment. You can review a 2016 updated version here as well as understanding how you can monitor enforcement continuously with Splunk.

 

BAE Systems also explained which files and binary had been accessed. This should lead to enable on the SWIFT Servers additional logging for process tracking and creating baselines of new processes accessing new files. Processes which have never been seen before such as new network communication on unknown ports or to a rare IP-address could be an early indicator of an attack and need to be reviewed to ensure that it doesn’t become a breach.

Br

Matthias