The SWIFT banking network on Friday updated financial institutions worldwide of new security resources it has developed in the wake of massive fraud. Officials also reminded banks of their role in securing their respective infrastructures.
Banks in Bangladesh, Vietnam and Ecuador have been infiltrated by attackers who stole credentials for the SWIFT system to move out tens of millions of dollars; Bangladesh Bank was the most egregious case where attackers were able to steal more than $80 million. It has been reported that the bank was not running a firewall and was using $10 commodity switches to manage computers connected to the SWIFT network.
SWIFT, which stands for Society for Worldwide Interbank Financial Telecommunication, is a private network used by financial organizations to send and receive transactions.
Hackers have been targeting banks with weak or non-existent security to steal credentials for the SWIFT network to make fraudulent transactions. In a May 13 statement after the attack on the Vietnamese bank, SWIFT hinted that insiders at the respective banks could also be involved.
“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both,” SWIFT’s statement read.
On Friday, SWIFT issued another statement to banks warning its users that fraud continues to be a major problem, and reassuring them that the security of the SWIFT network remains intact.
SWIFT officials said they will continue to share information on ongoing attacks as it’s available, as well as best practices to help organizations be proactive against fraud, in particular with regard to the security of credentials and access to the network.
SWIFT said it has also centralized new and existing information in a resource that is known as KB tip 5020928, which lives in the restricted customer section on SWIFT.com.
“We will update this tip with relevant information, including any new customer malwares or other indicators of compromise (IOCs) supporting the same modus operandi we have seen in the previous cases. We recommend that you have your IT security team review this information today and on an ongoing basis,” SWIFT said in its statement. “Going forward, all new and relevant information related to cyber incidents at customers’ institutions known to us will be posted on that KB tip, allowing your security team to have the most up to date information, which should enhance their ability to react and respond.”
Several times in the note, SWIFT reinforced the onus is on financial organizations to maintain the integrity of their respective networks.
“Your organization’s role in this effort is critical,” SWIFT said. “Incorporating these steps as part of your security protocol will allow SWIFT to better support your institution in solving any issues that may arise, to understand any patterns between cases, and to provide general advice and alerts to other users in order to protect them from similar cases.”
The Bangladesh heist happened in February; attackers used stolen credentials to access the SWIFT network and injected malware into the bank’s implementation of the network to transfer money to accounts in the Philippines. The malware, SWIFT said, was used to cover the attackers’ tracks. Researchers at BAE Systems analyzed one component of the attack called evtdiag, custom-built malware tailored for Bangladesh Bank’s implementation of SWIFT Alliance Access software. SWIFT told Threatpost the malware affected only the client-side, and at the SWIFT network and core messaging services were not breached.
Earlier this month, Reuters reported that Bangladeshi police blamed technicians with SWIFT for introducing weaknesses that were ultimately exploited.
Reuters cited a conversation with Mohammad Shah Alam, who’s heading up a probe into the heist with Bangladesh police’s criminal investigation department, and an unnamed official at Bangladesh Bank. The bank official claims the technicians made missteps and went against security protocols when they implemented the system, something which opened SWIFT messaging to anyone who had a “simple password.”
“It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done,” the bank official told Reuters.
Four days later, SWIFT issued its second warning, this time of an attack against Vietnam’s Tien Phong Bank. SWIFT said the attack vector was malware targeting a PDF reader used by banks to check statement messages, in particular payment confirmations via PDF.
The attackers were able to use a Trojanized version of the PDF reader to once again electronically erase their tracks. This prompted SWIFT to suggest in its alert that insiders could be at play because of their knowledge of the use of the PDF readers in question.