Bank-Hacking Malware Threatens Global Financial Institutions

Over ten thousand banks and financial institutions are being urged to remain vigilant after the secure Swift (Society for Worldwide Interbank Financial Telecommunication) system – used to send messages between global firms – was reportedly compromised by the sophisticated hacking scheme that targeted the Bangladesh central bank in March 2016.

IT security experts from ESET, Proofpoint and Lieberman Software provide commentary.

Mark James, Security Specialist at ESET:

“Any successful malware attack is a very real threat to happen again no matter where it is. Malware is typically a “keep trying” business model and with so many financial organisations using all manner of both good and bad security measures, it only takes one weak link in this industry to provide a wealthy return. Even taking something that has worked before and adapting it for another market or country is often a low cost opportunity to reuse a working model.”

With so many vectors making up the whole security bubble for these organisations, it’s extremely difficult to ensure all the systems are safe and watertight. On top of that, financial services are a very rewarding target if successfully breached. With malware getting more and more complex these days the only way to stay safe is to keep ahead of the bad guys. Data monitoring and segregation has to be in place to not only be on the lookout for anything suspicious as it happens but also to limit access to systems in the case of a compromise. Keeping your operating systems, software and (hardware) firmware updated needs to be a high priority alongside ensuring your staff are incorporated into your security regime.

With so many individual points of failure it only takes one to be successful for malware to gain control. If the very basics of security are not being adhered to, like firewalls and user or staff education, then you are basically handing your companies innermost secrets over for all. For security to be effective it has to be moulded into your individual means, a global or broad program is ok as a basic start but you can’t allow it to be your only means of defence, you need to take that as a starting point and expand or manipulate it to fit your needs.”

Kevin Epstein, VP, Threat Operations Centre at Proofpoint:

“From Stuxnet to Zeus and earlier, there’s a longstanding trend of re-use of malware tactics and code. Given the level of investment and sophistication of the attack, it seems extremely likely that similarly themed campaigns will be attempted – re-emphasizing the need for frontline targeted attack protection and threat response systems.

Multi-layer defenses using modern techniques are crucial.  Attackers are constantly innovating, seeking weaknesses; defenders should invest in innovative defenses accordingly. It’s at least as important to deploy new defenses against inbound targeted attack vectors such as email, mobile, and social networks as it is to reinforce deep interior systems code; in other words, best practice is to conclusively secure external doors and windows as well as worrying about better interior desk drawer locks.

While the malware in question appears to represent an unusually large and specific investment on the part of the attackers, the premise is similar to that used by mainstream malware actors; infiltrate and intercept, a strategy comparable to that used with Dridex and other banking Trojans. A multi-layered defense would ensure that many such attacks could be – and have been – blocked at the point of infiltration, using targeted attack protection and threat response systems applied to email, social media, mobile devices and other inbound threat vectors.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:

“The specific attack on the Swift bank messaging system that was compromised in Bangladesh is not likely to appear in US or UK banks, but the damages from attacks on that system very well could. Like so many other systems today, the global banking system is interconnected in so many ways that the chain truly is broken through one weak link. The losses in Bangladesh were $81m (£56m, €71m), but you have to imagine that will have ripples in other banks doing business there and elsewhere because of how things work in a global economy. The cybersecurity of those you do business with is no longer a curiosity, it’s a critical risk you must understand and address.

The best thing banks can do to protect themselves from the sort of damage that is likely here is to review and understand how they set the bar for doing business with partners. The executives in any business are very good at seeing the revenue potential of new business partners and tend to see putting in provisions for starting those partnerships as bad ideas that decrease how nimble they are. But if the new partner is using $10 routers and no firewalls to run critical IT systems that you will now be directly dependent upon, wouldn’t you want to know that before signing any contracts? Basic cybersecurity practices will soon become as common sense to business partnerships as basic insurance coverage is today.

BAE casually mentions in their reporting of the Bangladesh central bank incident that the attackers original intent was to steal credentials. Security experts have come to assume that attackers go after credentials first as their gateway to getting all the good stuff an organization may have to steal, but everyday practitioners still seem stuck on firewalls and other security basics. Of course, these folks apparently had little to no firewall to speak of, but that only doubly highlights that with no wall to keep a bad guy out the first thing they’re after when they get in are the credentials.”