Back in February 2016, an unknown group of hackers nearly carried away a billion pound hack against the central bank of Bangladesh—but were thwarted at the last second by a single spelling error. The thieves still made off with an impressive payday, totaling £81 million, which already puts this among the most expensive incidents of all time. Although new information reveals that the targeted institution had extremely unimpressive security, there’s a lot that more well-defended enterprises can learn from this incident.
Lesson One: The Hackers Are Already Inside the Perimeter
It looks like Bangladesh Bank was doing everything short of laying out the welcome mat for bad actors. According to research from BAE Systems, the bank had virtually zero perimeter and was running its network on cheap, secondhand switches without any firewalls. Yes, this is egregious, and no organisation with access to billions of pounds should have such a lax approach to security. On the other hand, organisations in more developed countries, with much more investment and expertise in information security, have undergone equally damaging breaches.
Here’s the lesson: You can invest zero pounds into your perimeter, or you can invest one hundred thousand—some malicious actor is still going to be able to duck around it. Your assumption should be that someone has done exactly that. Thus, as a security administrator, your course of action should be to invest in tools that will allow you to detect criminals once the perimeter has been breached.
Lesson Two: Look for Compromised Credentials
The individuals who attacked Bangladesh Bank didn’t just hack the institution itself. Rather, they used the breached institution to leverage an additional attack on a network known as SWIFT. SWIFT is a system of record that governs transactions between banks—SWIFT transactions don’t contain money, but rather a set of instructions for money to be sent to particular accounts in certain amounts.
SWIFT’s credentialing system could use a little work, however. It appears that Bangladesh Bank’s LAN wasn’t segmented from SWIFT in any way, meaning that anyone that owned their LAN network also owned their SWIFT credential. There’s another lesson for security professionals. By hacking a £10 router, attackers instantly gained access to a network that controls billions of pounds. If one of your privileged accounts is breached, how much havoc can be wreaked by the insider threat?
Lesson Three: Make Sure Your Endpoint Protection Watches for Misbehaving Software
In order to send and receive instructions using SWIFT, banks use a messaging application known as Alliance Access. This program was the hackers’ ultimate target. Using malware, they were able to modify the program so that it no longer checked the integrity of the files that were sent through it. In addition, they would scan the transactions that Alliance would write and receive every day, and modify them in turn. Certain messages were changed to increase the amount of money going to certain accounts. Others changed the messages confirming when amounts were received. Lastly, the attackers deleted part of the Oracle database where the transaction records were stored.
Now, it’s unclear whether Bangladesh Bank was running any kind of anti-virus software (per the BAE report, we can perhaps safely assume that they were not). Even if they were funning antivirus, however, they may not have been able to detect the kind of malware that was used against them. According to BAE, the attackers used custom software to infect the Alliance Access messaging client. As custom malware, by definition, hasn’t been seen before in the wild, signature-based endpoint protection would have had difficulty generating an alert.
Security professionals cannot afford to wait until their attackers make a typo. The lesson to draw from the SWIFT hack is not that Bangladesh Bank was an easy target. Rather, it was the easiest target in a target-rich environment. Once inside Bangladesh Bank’s perimeter, the attackers were able to modify mission-critical software at will, in a way that standard endpoint protection would have been completely unable to identify. The lesson is clear: security professionals must invest in tools that detect malware based on its behavior, not on its signature.
To learn more about JTSecurity Managed Detection and Response Service, and how our next-gen endpoint protection product helps to identify malware and conduct digital forensics, contact the team today.
