In February, attackers attempted to steal $ 951 million using the SWIFT wire transfer system by submitting transfer requests from the Central Bank of Bangladesh to the New York Federal Reserve. Before the cyber burglary was detected, the attackers escaped with $ 81 million by channeling and laundering the funds through a bank account in the Philippines. Most transfers were thwarted for some unexplained reason.
Reuters reported details of the cyber heist based on an interview with defense contractor and security researcher BAE Systems. It was not clear whether BAE Systems was working independently, for SWIFT or for the Bangladesh Bank. The report reveals that the SWIFT software has the same design flaws as the Target point of sale (POS) system. Both recklessly relied on the assumption of an impenetrable security perimeter. The fault appears to be SWIFT’s, if BAE is correct in its report that “the malware registers itself as a service and runs in an environment running SWIFT’s Alliance software suite, powered by an Oracle database”.
New or modified malicious code that had at least one different MD5 hash was allowed to register, load, and execute without detection. The malware should not have been able to run and the SWIFT security team should have been informed. This is what happened when attackers exploited retailer Target’s point of sale system, producing 40 million credit card numbers and IDs. Much like the Target exploit, once attackers breached perimeter defenses, poor security policies allowed them to run whatever malware they wanted.
The vulnerabilities allowed attackers to insert binary malicious code into SWIFT’s client software, Alliance Access, which was exposed to attacks from weak cyber defenses at the Bangladesh Bank. The bank operated its network without a firewall and employed used switches and routers that cost around $ 10 each. After breaching the bank, the criminals took control of SWIFT credentials and logged in, which allowed them to install malware and perform illicit transfers. The malware ending with the .DLL extension would indicate that Alliance Access was written for Windows platforms. It will be interesting to know if this included Windows XP platforms like the Target violation did.
SWIFT update and warning
Natasha de Teran, who LinkedIn lists as head of corporate affairs at SWIFT, told Reuters that SWIFT is aware of malware targeting Alliance Access. She said SWIFT would today issue an update and a warning to the 11,000 banks and financial institutions around the world that are using or may use the software. It appears the warning could be for these companies to double down on perimeter defenses and physical security as SWIFT rewrites Alliance Access to incorporate security policies.
SWIFT seems confident that its main messaging services that connect banks around the world have not been compromised as these have not been affected by the update. The update improves the security of Alliance Access and will detect inconsistencies in the local database records.
The attacker’s transfers were not detected by fraud prevention measures because their software called evtdiag.exe running inside the bank and deleted the fraudulent transfer database records carried out at the Central Bank of Bangladesh. The malware also filtered out incoming transfer confirmations, preventing database updates and printing of transfer confirmations.
BAE has published more details in its blog post today, which formed the basis of the Reuters story.
Copyright Â© 2016 IDG Communications, Inc.