A network breach occurs when a cyber-attacker successfully infiltrates a network system to access data and extract or manipulates sensitive information. Such breaches may happen physically by accessing a computer or network to steal local files or by remotely bypassing network security. The latter is the most frequently used method, especially when targeting companies with strong physical security within the facility.
Many times we have woken up to news headlines of banks losing millions of dollars through cyber-attacks. It seems like a golden age for such bank robberies. Judging from frequent media headlines, cyber-attacks on banks seems to have high payoffs and relatively low risk of detection. Therefore, more criminals have been inspired to ‘go online.’ While some groups of criminals are caught and brought before the law, more groups keep springing up with even more sophisticated attack techniques.
We have to agree that the cyber world is quickly changing with new security measures installed through updates in the already existing systems. However, the criminal has proved to adapt quickly. The criminals are always on the lookout for any published vulnerabilities on which they exploit faster even before the bank security services move to install updates. On the dark web, members can freely exchange these techniques and purchase software for conducting such attacks. These people can also collaborate with unethical and ill-intentioned bank employees and money launderers to complete such attacks. If well planned, the attacker can do away with millions of dollars breaching the bank network, even though it might seem that such networks are well protected.
When we think with this logic, many questions may come to mind: what is the situation with the network security at banks? How do hackers breach such systems? What are the security flaws in the system that allow hackers to penetrate the system and make away with the crimes unnoticed? And most importantly, how can banks stop or at least mitigate this vice? Let’s find out.
Examples of attacks
Eastern European Bank Attacks
The attack famously known as DarkVishnya attacks occurred in early 2017 and affected at least eight banks in Eastern Europe. It was a series of sudden attacks which targeted card processing at the affected banks. The attackers managed to penetrate the banks’ infrastructure and accessed the card processing systems increasing the card overdraft limits. These attackers also disabled the banks’ anti-fraud systems that would notify the bank of any suspicious transactions. While holding the banks’ system at this status, their counterparts were busy withdrawing huge amounts of money via ATMs in other countries. The average amount of money stolen on each withdrawal attempt was approximately $5 million. The similar tactic had been used before by Metel gang who penetrated the target banks’ infrastructure, canceled card transactions and reset bank balances. Meanwhile, their counterparts moved from one ATM to another making away with millions of Russian rubles.
According to the research findings by Kaspersky, one thing remained constant in all these attacks, the attacker connected a device to the local network, for instance, in one of the meeting rooms. In some cases, the device was even hidden or blended into the surroundings to avoid raising suspicion. The devices were of different types such as a netbook or inexpensive laptop, Raspberry Pi computer, and Bash Bunny.
Far Eastern International Bank Attack in Taiwan
This attack happened in October 2017 and attackers managed to steal about $60 million. While reporting on the same matter, Taiwan’s Financial Regulatory Commission confirmed that it was a malware attack and the hackers used fraudulent money-moving messages sent via the SWIFT interbank messaging network. Over 11,000 financial institutions across 200 countries and territories use the interbank messaging system from Brussels-based SWIFT cooperative in the international and domestic transfer of funds. A similar attack had been previously conducted in February 2016 at Far Eastern International Bank. Again, the hackers managed to install the malware in the bank’s computer. This malware allowed them to subvert SWIFT’s client software and inject fraudulent money-moving requests in the SWIFT interbank messaging network. The cybercriminals attempted to steal $952 million from the bank’s Federal Reserve of New York account. However, they ultimately walked away with $81 million.
The attack by MoneyTaker gang on financial institutions in Russia and in the United States
The last example in this category is the attack on the United States and Russian’s financial institution by a group of cybercriminals who were later referred to as MoneyTaker gang. These gang carried out a series of attacks which ran for a year and a half. These attackers penetrated card processing and interbank transfer systems and stole a total of about $1.76 million.
What is the Typical Attack Scheme?
The attackers chose their targets depending on three factors, the available tool, their level of expertise, and the knowledge about the internal banking process. However, despite all of this, the attackers operate in some basic stages which marks the beginning of their attack until their goal is achieved and their safety afterward guaranteed. The research by Kaspersky identified some of these stages as survey and preparation, penetrating the internal network, compromising banking systems and stealing funds, and concealing traces.
Survey and Preparation
At this stage, the goal is to identify weak spots or “opportunities” within the banking system to attack. This stage is usually lengthy and time-consuming. It often involves spying and the attacker tries to gather as much relevant information on the bank as possible. The use of an external resource is always a risky business at this stage. Therefore, the criminals often use passive methods of obtaining information such as identifying the domain names and the bank addresses. The unscrupulous insiders, employees, are also involved at this stage. The primary information gathered at this stage is about the network perimeter systems and software and the business process. Other information includes employees details – emails, names, addresses, telephone and position, and details about partners and contractors – their employees and systems. The attacker’s preparatory activities at this stage include developing malicious software, preparing phishing emails, setting up infrastructure, and testing the infrastructure and malicious software.
Breaching the Internal Network
The most commonly used method by the attacker to penetrate the system is sending a phishing email. The gangs have realized that banks pay a lot of attention to protecting their network systems. Therefore, attacking servers and web applications is both difficult and risky. Email phishing is more effective and has been used by famous cyber gangs such as Cobalt gang, Metel, Lazarus, and GCMAN. At this stage, the hackers can also hack third-party companies that do not protect their networks well and infect the website that is often visited by the employees of the targeted financial institution. Lazarus and Lurk have used this method before.
Developing the attack and gaining a foothold in the network
Once the criminal has penetrated the network system and gained the bank’s internet, they seek to obtain local administrator privileges on employee computers so as to continue their attacks. The insufficient protection against the internal intruders facilitates the success of the attack. The common vulnerabilities include:
➢ Using outdated software versions.
➢ Failing to install OS security updates.
➢ Configuration errors which include excessive user and software privilege as well as setting local administrator passwords through group policies.
➢ Lack of two-factor authentication for access to critical thinking.
➢ Use of dictionary passwords.
Gaining maximum privileges on the host enables the attacker to learn the credentials of the logged in users by accessing OS memory. The data can then be used to connect to other computers on the network. Attackers often use the local administrator privileges to copy memory of the lsass.exe process to be used in extracting the passwords of the users using the mimikatz tool. Antivirus software cannot detect such actions since legitimate tools, such as ProcDump, are used in copying the memory while mimikatz runs on the attackers’ laptop. Attackers can also use Responder to attack network protocols and intercept credentials.
The attackers normally use legitimate software and built-in OS functions (such as PsExec or RAdmin) to navigate among hosts. Corporate administrators use these tools on a daily basis hence they unlikely cause suspicion. Phishing messages can also be used within the bank, for example, sending letters from real employees.
If the attackers manage to gain the privileges of the domain administrator, they can easily and freely manipulate the network to monitor the computers of the employees and the bank’s infrastructure services. At this level, the attackers can gain access to the banks business system and banking software. Using the golden techniques, they can now safely gain a foothold in the system and operate there for a long time. The attackers use bodiless malicious code that stays only in RAM. They then add malicious software to the list of startup programs to retain remote control.
Compromising banking systems and Stealing the Money
After gaining control of the system the attacker moves to find where the hosts on the target banking systems are located. They then examine user’s workstations in such files indicating that the particular workstation has worked with the bank applications. Corporate use special software to store passwords for critical systems on the networks. Attackers with local administration privileges can copy the memory dump of such processes and extract the password for accessing these applications or even encrypted databases. After this, they can extract clear-text passwords to the fundamental banking applications such as the core banking systems and ATM management workstations. These attackers can remain lurking in the system for months or years just observing the operations at the bank and the employees’ actions. With all these privileges, the attackers can steal funds as long as they remain in the system. They can transfer funds to fictitious accounts via interbank payment systems or even transfer funds to cryptocurrency wallets.
Concealing traces
Attackers conceal their traces within the system to prevent the investigations from pointing to them. Many attackers use RAM-resident malware but their traces can still be detected within the system. Therefore, some of them opt to erase boot records and partition tables on network hosts, completely disabling them. This method was observed in a series of 2017 cryptoware attacks.
Points of Vulnerabilities
After understanding the process the attackers use to execute their malicious attacks, it is important to understand the points of weaknesses within the banking systems that enables the attackers to succeed in penetrating the network.
Network perimeter vulnerabilities
The vulnerabilities and flows within the network perimeters can be categorized into four: web application vulnerabilities, server configuration flaws, insufficient network security, and deficiencies in users’ accounts and password management. Other flaws in these categories are related to network security. The most dangerous are remote access and control interfaces since they can easily be accessed by external users. The most common is the SSH and Telnet protocols. However, it is important to note that the presence of vulnerabilities within the system does not necessarily lead to penetration into the network. In general, the network perimeter of banks is better than in most industries.
Internal network infrastructure
Internal network infrastructure is the most vulnerable system in any banking facility. Most banks focus on protecting the network perimeter and the internal security remains poor. Security flows allow the attackers to have deep attacks into the banking structure. Such flows include Dictionary passwords and weak password policy, sensitive data stored in clear text, insufficient protection against recovery of credentials from OS memory, insufficient protection of service protocols from attacks, and outdated software.
How Banks Can Improve their Network Security and Stop Hackers
Adopt Network Segmentation
The bank needs to respond as if the network has already been breached. The IT team in the bank should employ the use of network segmentation as a strategy while prioritizing the security of most business-critical part of the networks. Network segmentation helps in achieving the network zones which limits the ability of the hacker to successfully move laterally across the compromised networks. The bank will have to continuously update and configure its network system when using this strategy. This strategy will ensure that the hacker can get only as far as the employee’s infected computer rather than having a link of weak networks that ends in the banks’ ATM systems.
Employ an Enterprise-wide security policy
Having a well-defined security policy makes a proper roadmap for maintaining a truly adaptive security architect for any IT team. It will help the people responsible for maintaining the security system of the bank to determine the best way for the network system to run with minimal risk. Such policy should also take into consideration all the regulatory and enterprise compliance requirements as well as how to apply timely patches for maintaining compliance.
Enforcing security policy
Having a security policy without enforcing it does not help at all. The bank has to ensure that it defines policies that control the behavior of its IT platform are enforced across the networks. The organization should frequently monitor the networks for changes to configurations and ensure that the changes are approved and are in harmony with the policy.
Conclusion
Cybersecurity is a great concern for banks. Banks can run into great losses in the hands of cybercriminals who aim to steal huge sums of money from them. Achieving network security starts from the administration – who drafts the institution’s security policies, to the least of the employee within the bank. Banks should make network security their first priority.
