[BreachExchange] SWIFT Attacks: Hackers Strike Again

Wed May 18 22:25:55 EDT 2016

http://www.investopedia.com/articles/markets/051816/swift-attacks-hackers-strike-again.asp?partner=YahooSA

Hackers have once again managed to break into the world’s largest system
for transferring funds. The Society for Worldwide Interbank Financial
Telecommunication, SWIFT, is owned by 3,000 financial companies and is
responsible for sending financial transactions between financial
institutions.

Vietnam's Tien Phong Bank identified themselves as the second victim of the
SWIFT cyberattack last week. However, TPBank said that they stopped the
attempt quickly enough to stop the attackers. Also, the bank found that the
transfers were made using infrastructure from an outside vendor.

SWIFT said that its network was not the one compromised. SWIFT has urged
their customers to review controls in their payment environment, along with
all of their messaging, payments, and e-banking channels.
J.P. Morgan Takes Action

J.P. Morgan Chase & Co. is the first major bank to implement measures over
SWIFT’s security breach. The company limited which employees can access
SWIFT in hopes to seal off any potential gaps.
Connections to Bangladesh and Sony

While the malware attacks on Swift seemed to be an isolated event, BAE
Systems
<http://baesystemsai.blogspot.com/2016/05/cyber-heist-attribution.html>
suggests that the malware used in both the Bangladesh attack in February
and the recent SWIFT attacks have several similarities. Some similarities
include the names of the malicious executables, the internal structure of
the code, as well as a unique code that was used to wipe files and cover
the attack.

Not only did BAE Systems uncover similarities between the two recent
attacks, but also found connections to the 2014 Sony attack, Operation
Blockbuster. Similarities include typos and development environment. In
Operation Blockbuster, hackers misspelled “Mozilla” as “Mozillar.” In the
Bangladesh case, the misspelling of “foundation” as “fandation,” canceled
their full transaction of $1B. In the Vietnamese attack, hackers spelled
“FilleOut” instead of “FileOut.” The malware creator of all three attacks
also used Visual C++ 6.0 exclusively, which is an older development
environment released in 1998.

Unlike the other attacks, the Vietnamese attack had some new features. One
feature being that the malware cover-up for the Vietnamese attack showed
extensive knowledge of the software and systems used to transfer the money.
The attackers also created a trojan version of the PDF reader, that can
detect the examination of the fraudulent transactions and show the banking
staff different data.
The Bottom Line

While SWIFT’s messaging center is used by many for transferring funds,
individual banks are responsible for their own cyber security. The use of
cheap networking and a lack of firewalls were found to facilitate the
Bangladesh attack in April. SWIFT has already warned their customers, but
it will be interesting to see if any further action is taken on by banks to
ramp up their cyber security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160518/2208b210/attachment.html>