Friday, November 1, 2024
HomeComputer SecurityFamous Indian Bank SWIFT/ATM System Hacked - Hackers Stolen US$13.5 Million -...

Famous Indian Bank SWIFT/ATM System Hacked – Hackers Stolen US$13.5 Million – A High Profile Cyber Attack

Published on

Malware protection

North Korean APT hackers group Lazarus attempting high profile SWIFT/ATM Attack on Cosmos Bank in India and stolen over US$13.5( INR 78 Crore) million.

Cosmos Bank is one of the second largest banks in India, it’s a 112-year-old cooperative bank and the bank is headquartered in Pune India.

Cyber Criminals targeted the bank’s ATM switch server SWIFT system via Malware infection and stole details of VISA and Rupay ATM cards on August 11 and 13.

- Advertisement - SIEM as a Service

In this case, Attackers have withdrawn Money “physically” from 28 countries including the UK, USA, Russia and the UAE using cloned ATM cards.

This is one of the well-planned and more advanced cyber Attack with a highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.

According to Jyotipriya Singh, Cybercrime DCP, The hackers must have done some kind of “recce” (study) of the bank’s system, “We suspect that the bank must have received some sort of alerts before the attack and we are waiting for the security audit report from the bank,”

How Did Hackers Compromise the ATM/SWIFT System

Attackers Intially using multiple targeted malware to breaking the connection between the Central and the backend/Core Banking System along with malicious ATM/POS switch in order to compromise an ATM Modality.

Once hackers take over the existing Central using Malicious Central, they make changes to the target account balances and enable the withdrawals such as foreign-to-EFT, standing-in, etc.

After these changes in ATM Modality, threat actor authorize to access the ATM and withdrawals for over US$11.5 million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-EMV) debit cards in 28 countries.

Apart from this, attackers able to send fake Transaction Reply (TRE) using malicious-Central (malicious ATM/POS switch) and also it enables the malicious withdrawals and impacted the fraud detection capabilities on the banking backend.

Attack Continuity to SWIFT Modality

Later attacker moving into Cosmos Bank SWIFT and compromise it by sending three malicious MT103 to ALM Trading Limited at Hang Seng Bank.

Unlike other SWIFT and ATM attacks such as card-not-present (CNP), jackpotting, or blackboxing fraud, it is one of the most advanced attacks.

According to securonix, Based on our experience with real-world attacks involving ATM and SWIFT, following the initial compromise, attackers most likely either leveraged the vendor ATM test software or made changes to the currently deployed ATM payment switch software to create a malicious proxy switch.

Using this  Technique, When the attacker sends from the payment switch to perform an authorized traction were never forwarded to CBS so the checks on card number, card status (Cold, Warm, Hot), PIN, and more were never performed.

Mitigation Steps to Detect Banking environment Cyberattack 

  • Suspicious Transaction Activity – Targeted – Frontend and backend Transaction Discrepancy Analytic (This can be used to help detect malware activity utilized to compromise ATM switches e.g. where TR enters a payment switch but never leaves for authorization etc.)
  • Suspicious SWIFT Endpoint Activity – Rare SAA Process/MD5 Analytic
  • Suspicious SWIFT Activity – Amount – Unusual 103 For Source Analytic
  • Suspicious ATM Activity – Peak Sequential Non-EMV Transactions For ATM Source Analytic
  • Suspicious Network Activity – Amount – Unusual PCCR Changes Analytic (This can be used to help detect unusual changes in the behavior of the ATM switches from a network perspective.)
  • Suspicious ATM Activity – Peak EMV Fallbacks to Magstripe Analytic
  • Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic (This can be used to help detect attack activity associated with the compromised ATM switch.)
  • Suspicious ATM Activity – Peak *On-Us Transaction Volume For PAN Analytic
  • Suspicious ATM Activity – Amount – Unusual Foreign Cash-out Volume Analytic
  • Suspicious Transaction Activity – Targeted – Cash Withdrawal Limit Elimination Analytic – Malicious threat actors manually changing cash withdrawal limits
  • Suspicious Process Activity – Rare Scheduled Task For Host Analytic (This is an example that can be used to detect one of the common techniques leveraged by Lazarus Group to which the attacks were attributed.)
  • Suspicious Process Activity – Targeted – Executable File Creation Analytic
  • Also, you can read Advanced ATM Penetration Testing Methods
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...

ClickFix Malware Infect Website Visitors Via Hacked WordPress Websites

Researchers have identified a new variant of the ClickFix fake browser update malware distributed...

IcePeony Hackers Exploiting Public Web Servers To Inject Webshells

IcePeony, a China-nexus APT group, has been active since 2023, targeting India, Mauritius, and...