Security Week 17: Hacking SWIFT and cash registers, extorting Android with exploits, bypassing AppLocker

    Financial cyber fraud most often affects ordinary people, customers of banks, but the financial organizations themselves are also experiencing problems. Everyone suffers from the fact that user devices are easier to attack than banking infrastructure. But there are exceptions: the Carbanak campaign discovered by our experts last year , the fresh Metel attacks , GCMan, and the more customer-oriented (large) Carbanak 2.0 campaign. Add to this the high-tech robbery of the central bank of the Republic of Bangladesh that occurred in February this year. Definitely, such attacks require significantly more skills and expthan fraud with users' wallets, but you can get a bigger jackpot if you succeed (or go to jail for a longer time, as you are lucky).

    This week, the story of the bank robbery was continued: the technical details of the attack became known. It turned out that the robbers directly manipulated the software of the international payment system SWIFT. That is, it is not only a matter of the vulnerability of the infrastructure of a particular bank: all large financial organizations are subject to this attack to one degree or another. We’ll return to technology later, it’s worth telling this story from the beginning.

    So, on technology alone, even the coolest, crackers would not have gone far: the theft of tens of millions of dollars in any case will be noticed quickly. The attack was carried out somewhere between February 4 and 5, on the eve of the weekend (in Bangladesh it is Friday and Saturday). A total of 32 transactions were made for a total amount of a billion dollars. Of these, 30 transactions were identified and blocked - in time, despite the day off. Two transfers, amounting to $ 21 and $ 80 million, respectively, to Sri Lanka and the Philippines, were successful.

    The transfer to Sri Lanka was subsequently returned thanks to a banal typo. Directing funds to the account of a local non-profit organization, the attack organizers made a mistake in the word “fund” (fandation instead of foundation), and the German Deutsche Bank, which served as an intermediary, stopped the transaction “until clarification”. In the Philippines, everything worked out. Bangladesh Bank notified the local RCBC Bank of the fact of fraud, but if the attack itself was possible due to Muslim holidays, then the Filipino bank was prevented from taking measures on time for Chinese New Year. When everyone finally got to work, someone had already withdrawn $ 58.15 million from the account on forged documents. I wonder what the process of withdrawing from a bank account looks like 58 million dollars.

    Detailed information about the attack became known only recently. April 22 datathe local police shared , and according to officials, there was ... not much security in the bank. With physical security, everything was good: all operations with the SWIFT system were carried out from a separate and, apparently, carefully guarded premises. Reports of all electronic transactions must be printed.



    At the network level, SWIFT operations were isolated or poorly, or in no way, judging by the mean statements of the police. Mentioned 10-dollar key switches, the lack of a firewall (apparently between the SWIFT infrastructure and everything else, including the Internet). Police tend to blame both the bank itself and the representatives of the international payment system: the latter suddenly found out that SWIFT operations were not protected when it was too late. It was expected that the bank, in principle, could not understand how the leak ( and what it was at all ) until they invited experts for analysis. By the way, the difference between the presence of protection systems and their absence (or incorrect implementation). You can even crack a protected system, but in an unprotected system you can also cover your tracks so as to make further investigation more difficult.

    Well, now let's move on to technology. A detailed analysis of some of the attack tools was carried out by BAE Systems, and then a direct attack on specialized SWIFT system software was revealed. The robbers could act in another way: take control of a computer connected to the payment system, and continue to make wiring "hands", but went a more complex and reliable way. The malicious code intercepted messages from the SWIFT system, looked for predefined sequences of characters in them, in general, it carried out reconnaissance.

    To attack, crackers replaced the standard modules of the payment system and disabled some of the checks. An illustrative example is also given: to disable one of the checks, which, presumably, the fraudulent translation could not pass, it turned out to be enough to change two bytes, removing the conditional jump from the code.



    It was also easy to trick an additional security measure with mandatory printing of transactions on a printer. For printing, the system generates files with the necessary information, and the malware simply zipped these files, that is, not only blocked printing, but also erased the information in digital form.

    My colleagues from the Threatpost website requested a comment from SWIFT, and received a response very similar to the usual reaction of financial institutions to fraud from ordinary customers.



    I mean, the attack did not reveal vulnerabilities in the SWIFT infrastructure, we are talking about an unsafe environment for the client, in short, the problem is not on our side . And they are right, but this is such a right that will not help anyone. I do not think that there will be many such incidents, and most likely conclusions have already been drawn from the whole story: there are not so many places where you can steal a billion in one fell swoop. But there will be more “consumer” cyber fraud, attacks on motley client banks for mere mortals, small and large businesses. Fighting him is harder, but necessary.

    Unusual ransomware Trojan for Android with exploits included
    News . Blue Coat Study .

    Ransomware for conventional computers use exploits to their full potential, although they are not limited to them. But on mobile devices, until recently, the situation looked different: for the initial infection, attackers rely more on social engineering methods. But the threat landscape for Android is developing in the same spiral as attacks on a PC, just significantly faster. This means that the emergence of malware for smartphones and tablets that are installed without the help of the owner is inevitable. And they did appear. A curious sample of such a ransomware trojan was analyzed by specialists from Blue Coat. The ransomware, known as Cyber.Police, attacks devices with Android versions 4.x, and is an ransomware, but not an ransomware. Data is not taken hostage, the device is simply blocked and a ransom is requiredgreyhound puppies iTunes pay cards for $ 200.



    Much more interesting is how the ransomware gets on the device. Two exploits are used for this. The first lbxslt exploit allows you to take control of a device after viewing a site with an infected script in a standard browser. This exploit, along with a number of others, was stolen from the Hacking Team last year. The second, known as Towelroot, exploits a vulnerability in the Linux kernel until 3.4.15 ( CVE ) and, in fact, is a modification of the popular utility for obtaining root rights. At this stage, a malicious application is installed, the Trojan itself, with the suppression of standard messages about the appearance of a new app in the system.

    According toGoogle itself, on various versions of Android 4.x, more than half of the devices still work. In an interview with Threatpost, Blue Coat researcher Andrew Brandt compared this version of Android with Windows XP - it is perceived to be an outdated system that is not supported by most vendors and is extremely vulnerable. Meanwhile, Windows XP was released 15 years ago, and the latest version of Android 4.x (KitKat) - 2.5 years ago. Progress moves by leaps and bounds, but in this context it somehow does not inspire at all.

    FIN6 Group attacks POS-terminals, successfully stole data of 20 million credit cards
    News . FireEye research .

    FireEye's study on the activities of the group known as FIN6 does not reveal America: yes, they break into cash registers, but they steal money. Such operations develop according to the scenario of a targeted attack: appropriate master keys are selected for the victim’s infrastructure, and then the malware finds specialized computers and starts intercepting data. The story is interesting in context. After similar attacks on the largest US retail chains (the Target chain was the most distinguished ), the United States began a long and painful transition to the generally accepted payment system for cards with a chip in Europe (and ours too).

    EMV cards are much better protected, and attacks like FIN6 are not necessarily affected (although options are possible). So, in connection with this, the US-oriented cybercriminal began a party on a sinking ship. Companies that have implemented the chip-and-pin system report a noticeable reduction in the number of incidents related to fraud, but those who are late report an average growth of 11% . Since buyers do not have the habit of refusing to buy in those places where they are still scanning the magnetic strip of credit cards, it turns out that this temporary transition period for US residents and visitors will be more dangerous than before or after. However, the recommendation on the use of disposable cards for payment during trips is unlikely to be canceled even when absolutely everyone will switch to microchipped credit cards.

    What else happened:
    The built-in Windows program Regsvr32 can be used to download and run arbitrary code bypassing security systems, in particular AppLocker. Fortunately, this is still a Proof of Concept from a researcher, and technically this cannot even be called a vulnerability, rather using standard system tools in an unnatural way.

    Antiquities:
    “Astra-976”

    A very dangerous resident virus that is encrypted and written to the COM files of the current directory when the infected file starts and then to all COM files that are launched for execution. If the system clock shows 17 minutes when the file starts, then the virus encrypts (XOR 55h) the partition table in the MBR of the hard drive. Traces int21h. Contains the lines: "© AsTrA, 1991", "(2)".

    Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 26.

    Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.

    Also popular now: