By Matt Middleton-Leal, regional director of UK & Ireland at CyberArk
Banks remain a top target for cyber criminals given the vast potential financial rewards, but their attack methods are not necessarily as sophisticated as one might expect. A persistent and determined attacker will almost certainly be able to find and exploit any given weakness, whether in the form of human error or a network vulnerability.
The recent Bangladesh Central Bank (BCB) heist is believed to have been one of the largest cyber bank robberies of all time. After almost a year spent carefully planning the robbery, $81m was stolen before a spelling error denied the hackers of a far greater sum ($1 billion).
The BCB incident bears similarities to the activities of the Carbanak hacking group that allegedly stole more than $1 billion from financial institutions in 2015. In both cases, attackers infiltrated the target network and assumed the highest level of insider access possible. Once inside a bank’s networks, attackers can hide in plain sight and watch internal processes and procedures in order to carry out the next stage of their plan with minimum risk of detection. In the case of Carbanak, this was through fraudulent ATM, cash transactions and money transfers; with BCB, it was in the form of a series of transfer requests across the global banking system.
Meanwhile, Swift – the global financial messaging network – has subsequently warned of another second malware attack targeting a commercial bank; believed to be Vietnam’s Tien Phong Bank. In a statement, Swift noted that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.
From a cybersecurity perspective, whether a breach was caused by hackers, insiders or a combination of the two is irrelevant to an extent. What matters is that attention and budget for security is all too often focused on defending the perimeter, allowing blind spots to form, obscuring what’s actually happening inside the network.
Businesses are continuously failing to deal with attackers that exploit both human error and network vulnerabilities to cause damage and reap financial gains. While the full impact of the BCB attack was avoided due to the attackers’ mistake, relying on poor spelling should not be a security policy.
It is clear that there were multiple privileged accounts involved in such attacks. They include both the accounts of system administrators and application accounts that would enable an attacker to operate inside the network, but also the accounts of those bank officials who have the permissions to initiate such high-volume transfers. Attackers commonly look for the credentials that would enable them to reach their goals, which change and evolve in the course of attackers’ activity in the network.
Failure to secure these powerful credentials and monitor their activity exposes a bank’s network to a whole range of attacks and prevents any chance of successful mitigation. If the BCB had been monitoring the activity of these accounts, it could have quickly identified the anomalous behaviour and not have been completely reliant on the Federal Reserve Bank of New York, Deutsche Bank, or any other third party to flag suspicious activity.
Network weaknesses are no secret; well-known vulnerabilities are being exploited time and again. For instance, in the latest incident, the failure to secure the privileged credentials that allow authorised SWIFT users or IT personnel at the bank to access SWIFT-connected systems resulted in a complete loss of control. If hackers can move around freely once inside a network, working out how to circumvent transactional checks and balances and gaining higher levels of enhanced access to the keys to the kingdom, then whatever any organisations may have spent to secure its network is wasted. As we saw in the Bangladesh heist, simply gaining control of a printer made sure staff were unable to see fraudulent transactions, which would have been revealed in the daily transaction list, and consequently the attack went undetected until it was too late.
We can expect attacks of this nature against financial institutions to become more aggressive and cyber attackers in general to become bolder and more audacious, going after bigger targets for greater sums. Financial institutions must take the necessary steps to prevent attackers from using their own internal credentials against them to operate inside the network and achieve their nefarious goals. Employing multi-factor authentication, controlling and monitoring the use of privileged accounts, detecting potentially malicious behavior and quickly responding to alerts should be at the centre of security practices employed by organisations to mitigate such attacks.