SWIFT Warns of Second Bank Attack via PDF Malware

News of yet another attack involving a bank and SWIFT, the financial network used by thousands of banks to transfer funds, came to light Thursday.

News of yet another attack involving a bank and SWIFT, the financial network used by thousands of banks to transfer funds, came to light Thursday as investigators continue to probe a separate $81 million heist in February involving the network and the central bank of Bangladesh.

The Brussels-based global financial messaging network notified users on Friday of the second attack, warning that its likely indicative of a “wider and highly adaptive campaign.”

While details around the most recent attack – which bank was implicated, how much money was taken, etc. – remain scant, SWIFT did share the attack vector: malware that targets a PDF reader application used by the banks to check statement messages.

In particular, attackers are targeting banks that they know receive PDF reports of payment confirmations. After it’s installed the malware mimics the actual PDF reader. Once the user opens a PDF report, the Trojan PDF reader manipulates the reports to “remove traces of fraudulent instructions.”

The fact that the attackers are familiar with the banks enough to know they use PDF readers to verify SWIFT messages suggest they either have an inside source at the bank, or have somehow attained knowledge of the bank’s inner workings, SWIFT claims.

“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both,” reads the network’s message to users.

Earlier this week an official with the US Federal Bureau of Investigation told the Wall Street Journal that they suspect February’s $81 million heist was an inside job and that evidence points to “at least one bank employee acting as an accomplice.”

Officials at SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, are stressing that while its system wasn’t compromised, the way these banks connected to its network was. Attackers managed to hack bank environments then go on to submit SWIFT messages with credentials, often stolen, to transfer money. In the February hack, attackers made $951 million in bogus transactions from the Federal Reserve Bank of New York to a bank in the Philippines. All but $81 million has been recovered thus far.

In its letter the network urged users to adequately secure their systems.

“Please remember that as a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environment,” the memo reads.

Experts echoed SWIFT’s sentiments on Friday, insisting that users need to properly ensure they protect tools that are critical like SWIFT, a network used by 11,000 banks in 212 different countries, lest they open themselves up to attacks.

“That it now seems easy to abuse SWIFT access is an overdue wake-up call for organizations to gear up their defenses around their critical assets,” Wim Remes, the Manager of Strategic Security Services for Rapid7 in EMEA said Friday.

“Once a product is integrated in your own infrastructure it becomes part of your attack surface and it is fully within your own responsibility to adequately protect it. Up to and including your ability to detect attacks and respond to them,” Remes, who’s also a member of the International Information Systems Security Certification Consortium, said.

SWIFT on Monday rejected claims made by Bangladeshi officials over the weekend that technicians with the company introduced vulnerabilities into the system, something that would have made it easier for attackers to carry out the heist.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.