PERCEPTION FINANCIAL SERVICES CYBER THREAT BRIEFING REPORT Q1 2019 1 Notable Cyber Activity within Financial Services Contents January 2019 October 2018 A security researcher discovered that The State Bank of India Between the 4th and 14th October 2018 HSBC reported a number Table of Contents . 1 (SBI), India’s largest bank, had failed to secure a server which of US online bank accounts were accessed by unauthorized users, Welcome . 1 was part of their text-messaging platform. The researcher was with potential access to personal information about the account able to read all messages sent and received by the bank’s ‘SBI holder. HSBC told the BBC this affected fewer than 1% of its 1 Notable Cyber Activity within Financial Services . 2 quick’ enquiry service which contained information on balances, American clients and has not released further information on 2 Threat Actor Profile: The Carbanak Organized Crime Gang . 4 phone numbers and recent transactions. This information could how the unauthorized access occurred. have been used to profile high net worth individuals, or aid social 3 Benefits and challenges of deploying TLS 1.3 . 5 engineering attacks which are one of the most common types of It is likely that this was an example of a credential-stuffing attack, 4 Ethereum Classic (ETC) 51% Attack . 9 financial fraud in India.1 where attackers attempt to authenticate with vast quantities 5 Authoritative DNS Security . 10 of username and password combinations obtained from other December 2018 compromised sites, hoping to find users who have re-used their Kaspersky published a detailed examination of intrusions into credentials elsewhere. This highlights the importance of deploying at least eight banks across Eastern Europe in a campaign they two-factor authentication for sensitive logons and/or detection have dubbed ‘Dark Vishnya’. In each case the attackers used an techniques to block anomalous access.5,6 unknown device connected to the company’s local network with remote access through a mobile network connection. Once in August 2018 the network, the attackers carried out reconnaissance and lateral On the 14th of August 2018 the Cosmos Bank, India’s second movement to reach machines used for making payments.2 oldest and more importantly India’s second largest bank was compromised by a two-stage attack. The first stage of the attack November 2018 saw 11.5 million USD stolen. The second stage of the attack The Bank of England hosted a one-day exercise to test the happened on the same day as the first however this time nearly sector’s resilience to a major disruption arising from a cyber- 2 million USD was withdrawn through debit card transactions incident. Around forty organizations took part along with located in India. Reports at the time stated that malware was used the Treasury, Financial Conduct Authority and UK Finance. to infect the bank’s ATM server to steal credit card information as Concerns were raised by some that a pre-arranged event may well as stealing SWIFT codes required for transactions. not adequately stress-test organizations’ preparedness, but Cosmos Bank stated that the cyber-attack was launched nevertheless the event highlights the importance of holding from 22 different geographical locations. Research conducted regular war-gaming exercises alongside practical tests of by Securonix attributed the attacks to North Korea pointing security controls. The bank is expected to publish some of the specifically at the APT group known as The Lazarus Group.7,8 lessons learned at a later date, although it has said that due to Brexit preparations it will delay the introduction of cyber-related impact tolerances on the sector.3,4 Welcome to the latest edition of PERCEPTION the cyber threat intelligence briefing for the financial services sector from Nettitude and edited by Dr Graham Shaw. The briefing report contains informative, relevant and timely information about the cyber threat landscape, current threat actors and recent activities. The report is designed to help you address the cyber risks faced by your organization. Nettitude provides a wide range of cyber threat and assurance services including red team simulation testing, threat modeling, attack surface analysis and tracking on threat actors, their methods and techniques. Please contact [email protected] to inquire further. We hope you enjoy reading this edition of PERCEPTION. Yours sincerely, Ben Densham Chief Technology Officer 1 https://techcrunch.com/2019/01/30/state-bank-india-data-leak/ 2 https://securelist.com/darkvishnya/89169/ 3 https://www.bankofengland.co.uk/news/2018/november/sector-resilience-exercise. 4 https://uk.reuters.com/article/uk-britain-boe-cyber/bank-of-england-says-will-delay-work-on-cyber-stress-tests-for-banks-idUKKBN1O40ZL 5 https://oag.ca.gov/system/files/Res%20102923%20PIB%20MAIN%20v3_1.pdf 1 6 https://threatpost.com/hsbc-data-breach-hits-online-banking-customers/138856/ 2 7 https://www.pcrisk.com/internet-threat-news/13425-how-hackers-stole-135-million-usd 8 https://www.securonix.com/securonix-threat-research-cosmos-bank-swift-atm-us13-5-million-cyber-attack-detection-using-security-analytics/ 2 Threat Actor Profile: The Carbanak Organised Crime Gang June 2018 March 2018 In June the Ukrainian Cyber Police Chief spoke out and stated In March of 2018 information outlined by McAfee pointed The Carbanak Group, (aka Fin7) is an organized cyber-criminal What is clear about the Carbanak group are their TTPs (Tactics, that hackers back by Russia were infecting Ukrainian companies to the North Korean linked threat actor The Lazarus Group gang which was first discovered in 2014 by Kaspersky Labs. techniques and procedures). To compromise their victim, they with malicious software. He outlined the Ukrainian assessment conducting campaigns against Turkish financial organizations. When they were first discovered Kaspersky outlined how they utilize spear-phishing with malicious attachments and links. Once that the malicious software was being used to create back-doors This campaign saw a resurgence of the Bankshot malware. This had been targeting banks with malware that was introduced to a victim is compromised, they move through the bank’s internal into large companies for potentially damaging future coordinated malware along with other TTPs conducted in the attack bore its target via phishing emails. The Carbanak Group appears to network infecting servers and controlling ATMs. Their preferred attacks against them. Of the companies being targeted the main similarities to previous attacks against the Turkish government be almost entirely financially motivated with the majority of their criminal acts are then to transfer money to foreign bank accounts, focus was critical infrastructure and banking organizations which have been linked to North Korea. attacks focused on the financial sector. It is unclear how much inflate bank account balances for money-mules to withdraw and the group has stolen from banks in total, but reports vary from command ATM machines to spit out money which the money- Although Russia has denied the accusations, this is another The Bankshot malware is capable of wiping files and content $900 million to well over a billion. mules collect. Further actions tend to see the stolen money example of rising geo-political tensions affecting the private while staying hidden on the victim’s system. This malware converted into one of several cryptocurrencies to help obfuscate sector. Relations between Ukraine and Russia continue to be which also goes by the name Trojan Manuscript is also capable its final destination. difficult, in 2014 following the annexation of Crimea, Ukraine of searching for and connecting to the SWIFT global banking 11 accused Russia of orchestrating a large scale cyber-attack and network. have remained vigilant since. 9 March 2018 April 2018 In March of 2018 the United States of America accused Iran In May the head of the Mexican Central Bank reported that of stealing intellectual property from over 300 universities in Mexican banks had been targeted in an attack which was America, Europe and East Asia. They were also accused of similar to previous attacks against the Bangladesh banking stealing intellectual property from financial services companies sector in 2016. It has been reported that around $15.4 million and government agencies. The US attorney for the southern was obtained although it’s not clear how much was extracted district of New York called it “one of the largest state-sponsored as cash. In response the Mexican central bank is now creating a hacking campaigns ever prosecuted by the DOJ (Department cyber-security unit which will provide advice and guidance to of Justice)”. the county’s banking sector. 10 This hack is believed to have started in 2013 and continued for four years. The US government stated that it was the Mabna Institute which started the attacks, which the US now calls “a Hacker network”. 9 https://www.reuters.com/article/us-ukraine-cyber-exclusive/exclusive-ukraine-says-russian-hackers-preparing-massive-strike-idUSKBN1JM225 10 https://www.reuters.com/article/us-mexico-cyber/mexico-central-bank-to-create-cyber-security-unit-after-hack-idUSKCN1IG3AB 11 https://www.ibtimes.com/north-koreas-hidden-cobra-hackers-target-turkey-bankshot-malware-2662019 Figure 1: Carbanak, a global threat 12 On the 26th March 2018 the suspected leader of the notorious The distinction between what has been named the Carbonak cyber-crime gang “Carbanak”, named only as ‘Denis K’, was group and others named by other organizations as Cobalt or FIN7 arrested in Alicante, Spain. This arrest was part of an international is sometimes unclear, with shared techniques and tools being police cooperation between Europol and the Joint Cybercrime used. It has therefore been suspected that Carbonak may not Action Taskforce. It was also the first time that the EBF (European be one group but several groups utilizing and sharing the same Banking Federation) had actively cooperated with Europol on a TTPs.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages9 Page
-
File Size-