Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/25/2016
05:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Malware At Root Of Bangladesh Bank Heist Lies To SWIFT Financial Platform

Customized malware hid $81 million of wire transfers until the money had been safely laundered.

A cyber bank heist of $81 million from Bangladesh Bank (BB) in February probably involved highly customized malware written specifically to exploit vulnerabilities in the bank's poorly secured local environment, according to researchers at BAE Systems. Though it did not exploit a vulnerability in the SWIFT financial software per se, the malware hid all evidence of the attackers' fraudulent wire transfers by fooling the SWIFT software in a variety of ways.

As Reuters reported in February, the attackers -- whose identities remain unknown -- first obtained the credentials the bank uses to approve payments. Then, they "bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money from the Bangladesh Bank's account there to entities in the Philippines and Sri Lanka."

The campaign would have been even costlier if the attackers hadn't drawn attention to themselves by simply being careless with their spelling. "Hackers misspelled "foundation" in the NGO's name as "fandation," prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction, one of the officials said." By this time, $80 million of transactions had already gone through, but, fortunately, $850 to $870 million of other attempted transactions were stopped. Some of the funds have been recovered.

If the attackers had had better editors, BB might have been out $1 billion, based upon what BAE Systems has discovered about the stealth malware on their systems -- which BAE believes was probably part of a bigger toolkit installed on the environment. They are not sure at this point how the initial infection took place, but the malware registers as a service in the environment running the SWIFT software.

One of the malware's tricks: it includes a module that replaces a 2-byte conditional jump with a do-nothing instruction -- "effectively forcing the host application to believe that the failed check has in fact succeeded," thereby giving itself the ability to execute database transactions, BAE said.

It manipulated the record of account balances, and monitored all the messages sent via SWIFT. It evens sent doctored copies of wire transfers to printers, and then deletes the records of them.

The code itself contained detailed information about the bank's environment. From Reuters, today:

Adrian Nish, BAE's head of threat intelligence, said he had never seen such an elaborate scheme from criminal hackers.

"I can't think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in," he said. "I guess it was the realization that the potential payoff made that effort worthwhile."

SWIFT, meanwhile, responded today, deflecting any responsibility for the vulnerability:

SWIFT is aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services.

We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security.

Bangladeshi Police are not letting SWIFT entirely off the hook, according to Reuters, stating that both the bank -- which had "seriously deficient" security -- and SWIFT are to blame.

This heist has also been cloaked in some mystery. A cybersecurity researcher investigating the attack reportedly went missing March 16, the day after stating that he'd discovered three user IDs involved, and was possibly abducted. Police found him wandering the streets of Dhaka, Bangladesh's capital city, March 23, "alive but in a dishevelled state," and decided to simply drive him home without questioning him while he was in that state, according to IB Times.

Related stories:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
4/26/2016 | 8:22:40 AM
Bitcoin
While I know Bitcoin has its own pitfalls, it does seem like decentralized funds avoid problems like this by not providing one point of attack for hackers. 

I don't think Bitcoin is quite ready to become the world's choice for banking, but an interesting point to consider. There are certainly some strengths of crypto currencies over more traditional means of monetary transactions.
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...