The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
In a recent interview with Bangladesh Bank spokesman Subhankar Saha,
The Wall Street Journal (WSJ) reported that about $100 million was taken out of its account with the Federal Reserve Bank of New York early in February using an interbank messaging system known as SWIFT (Society for Worldwide Interbank Financial Telecommunications). It appears that the hackers stole Bangladesh Bank’s credentials for the SWIFT messaging system.
The New York Fed said Tuesday the transfer requests were “fully authenticated” with the correct bank codes and appeared to come from servers belonging to the Bangladesh Bank—the South Asian nation’s central bank—in the capital, Dhaka. —WSJ
According to Investopedia, the SWIFT messaging system is “a messaging network that financial institutions use to securely transmit information and instructions through a standardized system of codes”.
SWIFT sends messages for a wide variety of actions including security transactions and treasury transactions and is is not exclusive to banks — SWIFT also provides services to the following:
- Brokerage Institutes and Trading Houses
- Securities Dealers
- Asset Management Companies
- Clearing Houses
- Depositories
- Exchanges
- Corporate Business Houses
- Treasury Market Participants and Service Providers
- Foreign Exchange and Money Brokers
The case highlights the threat to any institution — government or private — from criminals mounting cyber attacks using real bank codes so orders seem genuine. — Bloomberg
Not so swift
On February 5 the hackers sent more than thirty requests to the Federal Reserve Bank of New York using the Bangladesh Bank’s SWIFT code. The first four requests resulted in successful transfers of approximately $81 million. However, the fifth transfer of $20 million produced a red flag when the hackers misspelled Shalika “Foundation” as Shalika “fandation,” Reuters reported last Thursday that they did not find an NGO under the name of Shalika Foundation in the list of registered Sri Lankan non-profits.
While routing the funds, Deutsche Bank staff picked up on the typo and contacted Bangladesh Bank for clarification. Though the unknown hackers had attempted to steal $950 million — the combination of one typo along with ;bank staff scrutiny brought this bank heist to a screeching halt.
Investigators of the Bangladeshi hack believe that the attackers had considerable knowledge of the central bank’s workings, perhaps gained by spying on its workers, but came from outside the country. —Ars Technica
Malware suspected
Investigators believe that unidentified malware initially infected Bangladesh’s central bank computer systems pointing to a Trojan RAT or possibly a zero-day vulnerability. The malware would have enabled surveillance so that the hackers could observe banking processes.
Stolen credentials
Stolen credentials are a hot commodity this year because they allow threat actors to move laterally within the network in order to avoid breach detection. According to
Verizon’s 2015 Data Breach and Investigations Report, the use of stolen credentials has been the leading attack vector since 2010. Verizon states in the report that “there’s no getting around the fact that credentials are literally the keys to the digital kingdom.”
Since the bank transfers were not officially noted until the Deutsche Bank found the typo — what “could have been” the grand takeaway (in financial gain) for the hackers if the typographical error had never been discovered?
This post originally appeared at the
Fortscale Insider Blog.
Comments (0)