Monday, December 4, 2023

Famous Indian Bank SWIFT/ATM System Hacked – Hackers Stolen US$13.5 Million – A High Profile Cyber Attack

North Korean APT hackers group Lazarus attempting high profile SWIFT/ATM Attack on Cosmos Bank in India and stolen over US$13.5( INR 78 Crore) million.

Cosmos Bank is one of the second largest banks in India, it’s a 112-year-old cooperative bank and the bank is headquartered in Pune India.

Cyber Criminals targeted the bank’s ATM switch server SWIFT system via Malware infection and stole details of VISA and Rupay ATM cards on August 11 and 13.

In this case, Attackers have withdrawn Money “physically” from 28 countries including the UK, USA, Russia and the UAE using cloned ATM cards.

This is one of the well-planned and more advanced cyber Attack with a highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.

According to Jyotipriya Singh, Cybercrime DCP, The hackers must have done some kind of “recce” (study) of the bank’s system, “We suspect that the bank must have received some sort of alerts before the attack and we are waiting for the security audit report from the bank,”

How Did Hackers Compromise the ATM/SWIFT System

Attackers Intially using multiple targeted malware to breaking the connection between the Central and the backend/Core Banking System along with malicious ATM/POS switch in order to compromise an ATM Modality.

Once hackers take over the existing Central using Malicious Central, they make changes to the target account balances and enable the withdrawals such as foreign-to-EFT, standing-in, etc.

After these changes in ATM Modality, threat actor authorize to access the ATM and withdrawals for over US$11.5 million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-EMV) debit cards in 28 countries.

Apart from this, attackers able to send fake Transaction Reply (TRE) using malicious-Central (malicious ATM/POS switch) and also it enables the malicious withdrawals and impacted the fraud detection capabilities on the banking backend.

Attack Continuity to SWIFT Modality

Later attacker moving into Cosmos Bank SWIFT and compromise it by sending three malicious MT103 to ALM Trading Limited at Hang Seng Bank.

Unlike other SWIFT and ATM attacks such as card-not-present (CNP), jackpotting, or blackboxing fraud, it is one of the most advanced attacks.

According to securonix, Based on our experience with real-world attacks involving ATM and SWIFT, following the initial compromise, attackers most likely either leveraged the vendor ATM test software or made changes to the currently deployed ATM payment switch software to create a malicious proxy switch.

Using this  Technique, When the attacker sends from the payment switch to perform an authorized traction were never forwarded to CBS so the checks on card number, card status (Cold, Warm, Hot), PIN, and more were never performed.

Mitigation Steps to Detect Banking environment Cyberattack 

  • Suspicious Transaction Activity – Targeted – Frontend and backend Transaction Discrepancy Analytic (This can be used to help detect malware activity utilized to compromise ATM switches e.g. where TR enters a payment switch but never leaves for authorization etc.)
  • Suspicious SWIFT Endpoint Activity – Rare SAA Process/MD5 Analytic
  • Suspicious SWIFT Activity – Amount – Unusual 103 For Source Analytic
  • Suspicious ATM Activity – Peak Sequential Non-EMV Transactions For ATM Source Analytic
  • Suspicious Network Activity – Amount – Unusual PCCR Changes Analytic (This can be used to help detect unusual changes in the behavior of the ATM switches from a network perspective.)
  • Suspicious ATM Activity – Peak EMV Fallbacks to Magstripe Analytic
  • Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic (This can be used to help detect attack activity associated with the compromised ATM switch.)
  • Suspicious ATM Activity – Peak *On-Us Transaction Volume For PAN Analytic
  • Suspicious ATM Activity – Amount – Unusual Foreign Cash-out Volume Analytic
  • Suspicious Transaction Activity – Targeted – Cash Withdrawal Limit Elimination Analytic – Malicious threat actors manually changing cash withdrawal limits
  • Suspicious Process Activity – Rare Scheduled Task For Host Analytic (This is an example that can be used to detect one of the common techniques leveraged by Lazarus Group to which the attacks were attributed.)
  • Suspicious Process Activity – Targeted – Executable File Creation Analytic
  • Also, you can read Advanced ATM Penetration Testing Methods

Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles