<div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><a href="https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/">https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/</a></div><div dir="ltr"><span style="color:rgb(68,68,68);font-family:"Open Sans",sans-serif;font-size:16px"><br></span></div><div dir="ltr"><span style="color:rgb(68,68,68);font-family:"Open Sans",sans-serif;font-size:16px">A cyberattack against Chile’s largest financial institution last month, which reportedly destroyed 9,000 workstations and 500 servers, was actually cover for a larger plot to compromise endpoints handling transactions on the SWIFT network. When the dust settled on the attacks, investigators said $10 million was stolen from Banco de Chile and funneled off to an account in Hong Kong.</span><br></div><div dir="ltr"><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">On Sunday, the bank’s general manager Eduardo Ebensperger told Chilean media outlet<span> </span><em style="margin:0px;padding:0px;border:0px;vertical-align:baseline"><a href="http://www.latercera.com/pulso/noticia/gerente-general-banco-chile-eduardo-ebensperger-ciberataque-evento-fue-destinado-danar-al-banco-no-los-clientes/198912/" target="_blank" rel="noopener" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(242,38,55);text-decoration:none">Pulso</a> </em>that the<span> </span><a href="https://ww3.bancochile.cl/wps/wcm/connect/nuestro-banco/portal/sala-de-prensa/noticias-y-comunicados/declaracion-publica2" target="_blank" rel="noopener" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(242,38,55);text-decoration:none">late-May attack</a> allowed adversaries to complete four separate fraudulent transactions on the SWIFT system before the heist was discovered.</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">The initial attack was carried out using a <a href="https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/" target="_blank" rel="noopener" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(242,38,55);text-decoration-line:none">wiper malware</a> that Ebensperger described as a “<a href="http://www.latercera.com/pulso/noticia/gerente-general-banco-chile-eduardo-ebensperger-ciberataque-evento-fue-destinado-danar-al-banco-no-los-clientes/198912/" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(242,38,55);text-decoration-line:none">zero-day virus</a>” that had never been seen in the wild. However, <a href="https://www.flashpoint-intel.com/blog/banco-de-chile-mbr-killler-reveals-hidden-nexus-buhtrap/" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(242,38,55);text-decoration-line:none">in report published Tuesday</a> by Flashpoint, analysts discovered that the code is actually a modified version of the Buhtrap malware component known as kill_os. The module renders the local operating system and the Master Boot Record (MBR) unreadable by erasing them.“We found some strange transactions in the SWIFT system (where banks internationally remit their transactions to different countries),” Ebensperger told the outlet. “There we realized that the virus was not necessarily the underlying issue, but apparently [the attackers] wanted to defraud the bank.”</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">After reverse-engineering the codebase, Flashpoint analysts found that the Chile-attack malware, dubbed “MBR Killer,” was identical with only minor modifications to Buhtrap’s kill_os. For instance, the Buhtrap code, which was leaked onto the Dark Web in February, contains an almost identical Nullsoft Scriptable Install System (NSIS) script as the unpacked Banco de Chile malware (NSIS is an open-source system used to build Windows installers).</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">This revelation could potentially help with attribution: The Buhtrap malware and its components, including MBR Killer, were previously used by a Russian-speaking hacker collective in attacks against multiple financial institutions in Russia and the Ukraine, Flashpoint noted.</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">However, the attribution behind the Banco de Chile attack remains uncertain.</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">“It is notable, however, that Chilean financial institutions were targeted entities by the Lazarus Group, which was linked to North Korea, during the compromise of the Polish Financial Supervision Authority website in 2017,” Vitali Kremez, director of research, told Threatpost in an interview. “More specifically, the breached website was filtered to serve payloads to only targeted IP ranges associated with financial institutions of interest to the group.”</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">He added, “the above-referenced indicators point to two possible groups behind – purported North-Korean affiliated group Lazarus and the known Russian-speaking sophisticated criminal <a href="https://www.group-ib.com/brochures/gib-buhtrap-report.pdf" target="_blank" rel="noopener" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(242,38,55);text-decoration:none">group</a><span> </span>Buhtrap.”</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">It’s also possible, researchers said, that it’s an entirely different copycat group making use of Buhtrap’s leaked source code.</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Meanwhile, Ebensperger said that a forensic analysis conducted by Microsoft attributed the attack to either Eastern European or Asian groups. Further, Ofer Israeli, CEO of Illusive Networks, said via email that he too believes the North Korea-linked Lazarus Group, which is thought to have carried out the<span> </span><a href="https://threatpost.com/bangladesh-bank-hackers-accessed-swift-system-to-steal-cover-tracks/117637/" target="_blank" rel="noopener" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(242,38,55);text-decoration:none">SWIFT attacks in Bangladesh</a><span> </span>in 2016, is behind it all.</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">“Targeting financial organizations is part of their long-term strategy and compromising global financial networks via small to medium-sized banks in Central and South America whose cyber-defenses may be less sophisticated poses a higher probability of success,” he explained.</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In any event, Banco de Chile is the latest victim in a string of cyber-attacks targeting payment transfer systems. For instance, in May, Somewhere between $18 million to $20 million<span> </span><a href="https://threatpost.com/mexicos-banking-system-sees-18m-siphoned-off-in-phantom-transactions/132004/" target="_blank" rel="noopener" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(242,38,55);text-decoration:none">went missing</a><span> </span>during unauthorized interbank money transfers in Mexico’s central banking system.</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">“Third-party providers of payment and transfer systems have become one of the most effective attack vectors for hackers trying to siphon money from banks,” said Fred Kneip, CEO at CyberGRX, via email. “We’ve seen the SWIFT Network under attack for years now, and just last month hackers targeted the Mexican central bank SPEI interbank transfer system.”</p><p style="margin:1.2em 0px;padding:0px;border:0px;vertical-align:baseline;color:rgb(68,68,68);font-size:16px;line-height:1.6em;font-family:"Open Sans",sans-serif;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">He added, “A large international bank has tens of thousands of third parties in their digital ecosystem, but hackers have figured out that it only takes one weak link to make millions of dollars. Understanding the level of risk exposure introduced by all third parties is important, but that becomes even more critical for a Tier 1 partner like a transfer system provider.”</p><br><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>