About Bangladesh Bank hack - The attackers who stole $81 million from the Bangladesh central bank probably hacked into software from the SWIFT financial platform that is at the heart of the global financial system
Key Security Learnings - (can be easily mapped to OWASP Top 10 Attacks)
- SWIFT builds on security practices established by the customer itself and therefore it is imperative that in the wake of this attack, customers using SWIFT Alliance Access must strengthen their cyber security posture
- 24x7x365 closely monitor network and system components - both internal and external which are interfacing with outside systems and generate alerts for any abnormal behaviour.
- Ensure proper network segmentation with effective network components being used with latest patches and updates for all systems.
- Ensure system components are interacting with database on least privilege mode (absolutely avoid modify / Delete privileges to critical sensitive database tables, columns, logs where there is no business need) along with all interactions getting logged and generating alerts for abnormal behaviour.
- Valid credentials for operators authorized to create and approve SWIFT messages must be regularly changed along with review of Segregation of Duties of the operators involved in critical operations of the organization.
- All abnormal dynamic system application component changes are alerted with proper analysis being carried out.
Experts in bank security fear that there were "a handful" of central banks in developing countries that were equally insecure. Some banks fail to adequately protect their networks because they focus security budgets on physically defending their facilities.
Modus of operandi:- SWIFT, a cooperative owned by 3,000 financial institutions, used by 11,000 banks, confirmed that it was aware of malware targeting its client software. Attackers modified a SWIFT software program installed on bank servers. The new evidence suggests that hackers manipulated the Alliance Access server software, which banks use to interface with SWIFT's messaging platform, in a bid to cover up fraudulent transfers that had been previously ordered. They discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT client software known as Alliance Access. The malware, named evtdiag.exe, was designed to hide the hacker's tracks by changing information on a SWIFT database at Bangladesh Bank that tracks information about transfer requests. evtdiag.exe was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. By this, attackers obtained valid credentials for operators authorized to create and approve SWIFT messages, then submitted fraudulent messages by impersonating those people. One is highly confident about malware that it was used in the attack because it was compiled close to the date of the heist, contained detailed information about the bank's operations and was uploaded from Bangladesh. The malware was designed to make a slight change to code of the Access Alliance software installed at Bangladesh Bank, giving attackers the ability to modify a database that logged the bank's activity over the SWIFT network. Once it had established a foothold, the malware could delete records of outgoing transfer requests altogether from the database and also intercept incoming messages confirming transfers ordered by the hackers. It was able to then manipulate account balances on logs to prevent the heist from being discovered until after the funds had been laundered. It also manipulated a printer that produced hard copies of transfer requests so that the bank would not identify the attack through those printouts