SINT MAARTEN—For three months starting last October, hackers pulled off a stunning compromise of a Brazilian bank’s operations top-to-bottom. The attack was comprehensive with each of the bank’s 36 domains, corporate email and DNS under the attacker’s control.
Once Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev dug under the covers of this attack, they discovered that the attackers had extended their operations to nine other institutions worldwide, the researchers said today at the Security Analyst Summit.
At the outset, this looked like a site hijacking, but Assolini and Bestuzhev quickly discovered that much more was happening. The caper was uncovered last Oct. 22 when it was apparent the bank’s website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.
“Every single visitor got a plugin with the JAR file inside,” Bestuzhev said, adding that the attackers had control of the site’s index file. Within the index, an iframe was loaded and it was redirecting visitors to a website from where the malware was being dropped.
“We were wondering, had the bad guys pwned the whole bank? How is this possible?” Bestuzhev said.
Digging deeper, the researchers found the homepage was displaying a valid SSL certificate from Let’s Encrypt, a free Certificate Authority.
“This happened one day before the attack,” Bestuzhev said. “This seemed very interesting for us.”
The depths of the compromise quickly became apparent. All 36 bank domains were under the attackers’ control, including the online, mobile, point-of-sale, financing and acquisitions, and more.
“All domains, including corporate domains, were in control of the bad guy,” Assolini said, adding that the attackers also were inside the corporate email infrastructure and shut it down, preventing the bank from informing customers of the attack or contacting their registrar and DNS provider.
Assolini, a native Brazilian, said the bank was founded in the early 20th Century and manages 500 branches in Brazil, the U.S., Argentina and Grand Cayman; there are 5 million customers and $25 billion in assets under the bank’s control.
Pulling the malware apart, the researchers found eight modules, including configuration files with bank URLs, update modules, credential-stealing modules for Microsoft Exchange, Thunderbird, and the local address book, and internet banking control and decryption modules. All of the modules, the researchers said, were talking to a command and control server in Canada.
One of the modules, called Avenger, is a legitimate penetration testing tool used to remove rootkits. But in this case, it had been modified to remove security products running on compromised computers. It was through Avenger that the researchers determined that nine other banks around the world were similarly attacked and owned.
“The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries,” Bestuzhev said.
The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.
This plot was hatched at least five months in advance when the Let’s Encrypt certificate was registered. Spear-phishing emails were also discovered targeting local companies using the name of the Brazilian registrar.
This could be the avenue the attackers used to run the bank’s DNS settings; at one point they were able to redirect bank traffic to their servers.
“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev said. “If DNS was under control of the criminals, you’re screwed.”
The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use, the researchers said.
“That’s exactly what happened with this bank,” Assolini said.