SWIFT Credential Theft Calls for Advanced Access Controls

June 21, 2016 |
SWIFT Credential Theft Calls for Advanced Access Controls

According to the New York Times, security researchers have tied the recent spate of digital breaches on Asian banks to North Korea in what appears to be the first known case of a nation using digital attacks for financial gain.

An investigation by Symantec found evidence that a single group of state-sponsored cyber criminals may be responsible for an attack that successfully stole $81 million USD from the Bangladesh central bank, and attempted to steal over $1 million from the Tien Phong Bank in Vietnam. Malware used by the group was also deployed in targeted attacks against a bank in the Philippines.

In addition, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.

Valid User Credential Theft

It has been widely reported that the attackers exploited vulnerabilities in banks funds’ transfer initiation environments, prior to transfer messages being sent over the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. SWIFT has reported that malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network. The modus operandi of the attackers is similar in both cases:

  1. Attackers compromise the bank’s environment.
  2. Attackers obtain valid operator credentials that have the authority to create, approve and submit SWIFT messages from customers’ back-offices or from their local interfaces to the SWIFT network.
  3. Attackers submit fraudulent messages by impersonating the operators from whom they stole the credentials.
  4. Attackers hide evidence by removing some of the traces of the fraudulent messages.

The notice from SWIFT urges banks to ensure that they have all preventative and detective measures in place to secure their environments.

While details of the initial compromise vector have not been identified, it is safe to assume that the attackers established a foothold with either the help of an insider, or via stolen valid user credentials. This fact leads a network defender to look inside the network for ways to make it harder for the adversary to by interrupting other steps in the attack sequence outlined by SWIFT.

Prevent Advanced Adversary Threat

To prevent an advanced adversary threat such as Lazarus from progressing from Step 1 (initial compromise of user credentials) to Step 2 (acquisition of valid SWIFT operator credentials) requires proper network segmentation. This effectively prevents an adversary from conducting reconnaissance and lateral movement in search of operator credentials.  Fine-grained segmentation also separates unprotected segments of the network (workstations) from highly sensitive applications, such as the SWIFT interface.

To prevent an adversary from progressing from Step 2 to Step 3 as outlined in the SWIFT report, it is important for banks to properly authenticate valid operators beyond username and password.  Effective authentication must include other variables, such as MFA, time, date, and endpoint validation (MAC address, SID, proper AV and OS, etc.). By increasing the number of variables that must be presented to authenticate a valid SWIFT operator, the bank is, in effect, using a “digital identity” that is extraordinarily difficult to duplicate. This countermeasure interrupts Step 3, impersonating a valid SWIFT operator.

Lastly, to prevent an adversary from progressing from Step 3 to Step 4 in the attack sequence, banks should ensure that proper logging of transactions is conducted or terminate the session between the operator and the SWIFT interface. This would prevent the attackers from thwarting fraud detection controls that are designed to find anomalous activity. It would also ensure proper evidence is available to conduct an investigation after an attack has been detected. It’s very important to maintain effective logs to identify and prosecute potential bad actors within the organization.

Target on Banks and Foreign Wire Transfers Continues

Given the success of the recent bank attacks, it is highly likely that the Lazarus Group and other sophisticated cyber adversaries will continue to target banks and other companies that conduct foreign wire transfers. This presents an urgent need for enterprises is to implement proper security controls, such as user authentication based on digital identity, fine-grained segmentation, and persistent tamper-proof logging. The challenge is to identify cost-effective and easily managed solutions that implement these controls.

You can learn more about one solution in this category – Cryptzone’s AppGate, which enables organizations to adopt a software-defined perimeter approach for granular security control.

Individualize Network Access to Only the Resources Each User is Authorized to Use. Learn How. Get the white paper.

Back to Blog Home

Leo Taddeo

Leo Taddeo
Chief Security Officer

Leo Taddeo is the Chief Security Officer (CSO) for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo, former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, is responsible for analyzing the cybersecurity market to help shape Cryptzone’s vision for security solutions. Taddeo provides deep domain insight into the techniques, tactics and procedures used by cybercriminals, to help Cryptzone continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.

Prior to Cryptzone, Taddeo led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.

Previously, Taddeo served as a Section Chief in the International Operations Division, where he managed FBI operations in Africa, Asia and the Middle East. Taddeo has held various roles of increasing responsibilities in the field, including supervising a joint FBI/New York City Police Department Joint Terrorism Task Force and serving as the Legal Attaché in Rome, Italy.

After receiving his degree in applied physics from Rensselaer Polytechnic Institute in 1987, Taddeo served as a tank officer in the U.S. Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for service in the Gulf War. Taddeo then earned a Juris Doctor from St. John’s University and joined the New York law firm of Mound, Cotton & Wollan, where he practiced civil litigation until entering the FBI.

Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He also maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.

Leave a Reply

Your email address will not be published. Required fields are marked *