Where could the vulnerabilities have come from in the $81m Bangladesh Bank cyber heist?

Relying on poor spelling should not be a security policy.

The banking industry has been shaken after $81m was stolen from the Bangladesh Bank’s account with the Federal Reserve Bank of New York last month through a cyber attack.

Banks have been constantly attempting to improve cyber security in the face of more sophisticated and more aggressive attacks, but these efforts just do not seem to suffice, as proven by the recent mayhem. What’s more alarming is the fact that the attack was halted not by proper cyber security systems in place, but by a spelling mistake by the attackers themselves. Clearly, this could well be one of the biggest cyber bank heists in history.

We talked to some experts in online security software, and one of them compared this financial attack with the Carbanak hacking group incident in 2015. In both incidents, the hackers infiltrated the network to hijack the powerful privileged credentials to gain the highest level of insider access.

Another expert shared about the Gootkit malware, which is seen in attacks Israel, Egypt, US, Canada, Sri Lanka and New Zealand. Gootkit is a JavaScript based malware which uses web-injects, recording actions and utilizes a unique persistency mechanism in order to steal user credentials on infected machine.

Here's what they have to say:

Andrey Dulkin, Senior Director of Cyber Innovation, CyberArk Labs
The cyber attack that resulted in the theft of $80M from the Bangladesh Central Bank (BCB) is the latest example of how the financial industry is being rocked by cyber-criminals. Businesses are continuously failing in dealing with attackers that exploit both human fallacies and network vulnerabilities to cause damage and reap financial gains.

While the full impact of the attack (the attackers intended to steal as much as $1B!) was avoided due to the attackers’ mistake, relying on poor spelling should not be a security policy.

This most recent financial attack – believed to have been one of the largest bank heists ever – is similar in nature to the Carbanak hacking group that allegedly stole more than $1 billion from financial institutions in 2015.

The common denominator in both cases is that the attackers got inside the network and proceeded to hijack the powerful privileged credentials to gain the highest level of insider access.

With this level of access, cyber attackers can reside inside of the banking network without detection to conduct the espionage needed to carry out their attacks. Once inside, cyber criminals sit and study employee behaviour and banking procedures to steal money in the most expeditious way possible.

With Carbanak, it was through fraudulent ATM, cash transactions and money transfers. In the case of the BCB, it came in the form of a series of transfer requests across the global banking system.

It is clear that there are multiple privileged accounts involved in such attacks. They include both the accounts of system administrators and application accounts that would enable an attacker to operate inside the network, but also the accounts of those bank officials who have the permissions to initiate such high-volume transfers. Attackers look for the credentials that would enable them to reach their goals, which change and evolve in the course of attackers’ activity in the network.

Failure to secure these powerful credentials and monitor their activity exposes the network to a whole range of attacks and prevents any chance of successful mitigation.

If the Bangladesh Bank had been monitoring the activity of these accounts, it could have quickly identified the anomalous behaviour and not have been completely reliant on the Federal Reserve Bank of New York, Deutsche Bank, or any other third party to flag suspicious activity.

We can expect attacks of this nature to become more aggressive and cyber attackers in general to become bolder and more audacious, going after bigger targets for greater sums.

Financial institutions must take the steps necessary to prevent attackers from using their own internal credentials against them to operate inside the network and achieve their nefarious goals.

Employing multi-factor authentication, controlling and monitoring the use of privileged accounts, detecting potentially malicious behaviour and quickly responding to alerts should be at the core of security practices employed by organizations to mitigate such attacks.

Lim Chin Keng, Director of Security Solutions, APAC, F5 Networks
The recent cyber heist demonstrates how cybercrime has grown in sophistication and gumption. From ransomware to malware exploiting weaknesses in systems, applications and browsers, techniques are varied and constantly challenge the status quo. 

Today, the creativity of the attacks and the process by which cybercriminals are planning and carrying out their attacks definitely show how cybercriminals have stepped up their game.

To consider how sophisticated malware has become, F5’s Security Operations Centre recently detected that Gootkit malware had started to examine new areas around the world.

Our most recent investigation tracked it to attacks seen in Israel, Egypt, US, Canada, Sri Lanka and New Zealand. Gootkit is a JavaScript based malware which uses web-injects, recording actions and utilizes a unique persistency mechanism in order to steal user credentials on infected machine.

Unlike other financial Trojans, Gootkit performs preparation by using video recording functionality before it is launching actual attacks on financial institutions websites. This allows the fraudster to study the internal processes of financial transactions within a bank and look for gaps in approval processes.