Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/4/2017
10:20 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cybercriminals Seized Control of Brazilian Bank for 5 Hours

Sophisticated heist compromised major bank's entire DNS infrastructure.

KASPERSKY SECURITY SUMMIT 2017 – St. Maarten – Cybercriminals for five hours one day last fall took over the online operations of a major bank and intercepted all of its online banking, mobile, point-of-sale, ATM, and investment transactions in an intricate attack that employed valid SSL digital certificates and Google Cloud to support the phony bank infrastructure.

The attackers compromised 36 of the bank's domains, including its internal email and FTP servers, and captured electronic transactions during a five-hour period on Oct. 22, 2016. Researchers estimate that hundreds of thousands or possibly millions of the bank's customers across 300 cities worldwide, including in the US, may have been victimized during the hijack window when customers accessing the bank's online services were hit with malware posing as a Trusteer banking security plug-in application. The malware harvested login credentials, email contact lists, and email and FTP credentials, and disabled anti-malware software on the victim's machine to avoid detection.

Dmitry Bestuzhev, director of Kaspersky Lab's research and analysis team in Latin America, says the attackers were able to pull off the heist by compromising the bank's Domain Name Service (DNS) provider Registro.br and gained administrative control of the bank's DNS account. The attackers also obtained valid digital certificates for their poser bank's servers via Let's Encrypt, a legitimate HTTPS certificate provider, to dupe customers who, when they logged into their online accounts, were redirected to the phony systems. Meanwhile, the bank, which has $25 billion in assets, 5 million customers worldwide, and 500 branches in Brazil, Argentina, the US, and the Cayman Islands, was locked out of its own network and systems during the attack.

"As far as we know, this type of attack has never happened before on such a big scale," Bestuzhev says. Kaspersky Lab did not disclose the name of the victim bank.

The operation actually began at least five months prior to the actual hijack on Saturday, Oct. 22. Bestuzhev says it's unclear just how the attackers were able to compromise the DNS provider, but notes that Registro.br in January of this year patched a cross-site request forgery flaw on its website. "Maybe they [the attackers] exploited the vulnerability on that website and got control. Or … We found several phishing emails targeting employees of that registrar, so they could have spear-phished them," he says. "We don't know how exactly they originally compromised" the DNS provider, he says.

The bank didn't deploy the two-factor authentication option offered by Registro.br, which left the financial institution vulnerable to an authentication-type attack as well as authentication-type flaws such as CSRF, Fabio Assolini, a Kaspersky Lab researcher said here today during a presentation about the bank hijack discovered by Kaspersky.

More Banks at Risk

The attackers also dropped on banking customer machines malware that targets a specific list of other banks in Brazil, the UK, Japan, Portugal, Italy, China, Argentina, the Cayman Islands, and the US, apparently in hopes of nabbing their accounts there as well. There were eight components of the malware, including the one that disabled or removed anti-malware software, all written in JAR and able to run on Windows and Mac systems. "Once executed, the malware detection rate was very low," he says. "Even if they failed at removing anti-virus, they were able to partially disable it."

A phishing campaign targeting specific bank clients also was set in motion in order to steal payment card information, and during the five-hour heist, the bank was unable to access its email system and alert its customers. "The hijackers had complete control of the bank," Bestuzhev says.

The attackers routed stolen credentials and other information to a server in Canada, likely a "disposable" hosting setup, he says.

Bestuzhev says there's no way to defend against this type of targeted attack against infrastructure. "It's the fragility of the Internet," he says. Most banks in Latin America rely on a third-party DNS provider for their infrastructure, and at least half of the top 20 largest banks in the world use DNS providers for some or all of their DNS infrastructure, he notes.

The bank ultimately regained control of its DNS infrastructure, but the victim machines could remain infected with the malware. "The malware is persistent," Bestuzhev says. "It stays on the computers and can keep causing damage to the victim."

Kaspersky Lab doesn't identify hacker groups, but believes the attackers were a sophisticated Brazilian cybercrime group.

"They spent five months just waiting. This is not someone who is a newbie," Bestuzhev says.

Kaspersky Lab identified the malware used in the attack as Trojan-Downloader.Java.Agent; Trojan.BAT.Starter; not-a-virus:RiskTool.Win32.Deleter; and Trojan-Spy.Win32.Agent.

Related content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...