Thursday, March 28, 2024

Famous Indian Bank SWIFT/ATM System Hacked – Hackers Stolen US$13.5 Million – A High Profile Cyber Attack

North Korean APT hackers group Lazarus attempting high profile SWIFT/ATM Attack on Cosmos Bank in India and stolen over US$13.5( INR 78 Crore) million.

Cosmos Bank is one of the second largest banks in India, it’s a 112-year-old cooperative bank and the bank is headquartered in Pune India.

Cyber Criminals targeted the bank’s ATM switch server SWIFT system via Malware infection and stole details of VISA and Rupay ATM cards on August 11 and 13.

In this case, Attackers have withdrawn Money “physically” from 28 countries including the UK, USA, Russia and the UAE using cloned ATM cards.

This is one of the well-planned and more advanced cyber Attack with a highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing the three main layers of defense per Interpol Banking/ATM attack mitigation guidance.

According to Jyotipriya Singh, Cybercrime DCP, The hackers must have done some kind of “recce” (study) of the bank’s system, “We suspect that the bank must have received some sort of alerts before the attack and we are waiting for the security audit report from the bank,”

How Did Hackers Compromise the ATM/SWIFT System

Attackers Intially using multiple targeted malware to breaking the connection between the Central and the backend/Core Banking System along with malicious ATM/POS switch in order to compromise an ATM Modality.

Once hackers take over the existing Central using Malicious Central, they make changes to the target account balances and enable the withdrawals such as foreign-to-EFT, standing-in, etc.

After these changes in ATM Modality, threat actor authorize to access the ATM and withdrawals for over US$11.5 million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-EMV) debit cards in 28 countries.

Apart from this, attackers able to send fake Transaction Reply (TRE) using malicious-Central (malicious ATM/POS switch) and also it enables the malicious withdrawals and impacted the fraud detection capabilities on the banking backend.

Attack Continuity to SWIFT Modality

Later attacker moving into Cosmos Bank SWIFT and compromise it by sending three malicious MT103 to ALM Trading Limited at Hang Seng Bank.

Unlike other SWIFT and ATM attacks such as card-not-present (CNP), jackpotting, or blackboxing fraud, it is one of the most advanced attacks.

According to securonix, Based on our experience with real-world attacks involving ATM and SWIFT, following the initial compromise, attackers most likely either leveraged the vendor ATM test software or made changes to the currently deployed ATM payment switch software to create a malicious proxy switch.

Using this  Technique, When the attacker sends from the payment switch to perform an authorized traction were never forwarded to CBS so the checks on card number, card status (Cold, Warm, Hot), PIN, and more were never performed.

Mitigation Steps to Detect Banking environment Cyberattack 

  • Suspicious Transaction Activity – Targeted – Frontend and backend Transaction Discrepancy Analytic (This can be used to help detect malware activity utilized to compromise ATM switches e.g. where TR enters a payment switch but never leaves for authorization etc.)
  • Suspicious SWIFT Endpoint Activity – Rare SAA Process/MD5 Analytic
  • Suspicious SWIFT Activity – Amount – Unusual 103 For Source Analytic
  • Suspicious ATM Activity – Peak Sequential Non-EMV Transactions For ATM Source Analytic
  • Suspicious Network Activity – Amount – Unusual PCCR Changes Analytic (This can be used to help detect unusual changes in the behavior of the ATM switches from a network perspective.)
  • Suspicious ATM Activity – Peak EMV Fallbacks to Magstripe Analytic
  • Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic (This can be used to help detect attack activity associated with the compromised ATM switch.)
  • Suspicious ATM Activity – Peak *On-Us Transaction Volume For PAN Analytic
  • Suspicious ATM Activity – Amount – Unusual Foreign Cash-out Volume Analytic
  • Suspicious Transaction Activity – Targeted – Cash Withdrawal Limit Elimination Analytic – Malicious threat actors manually changing cash withdrawal limits
  • Suspicious Process Activity – Rare Scheduled Task For Host Analytic (This is an example that can be used to detect one of the common techniques leveraged by Lazarus Group to which the attacks were attributed.)
  • Suspicious Process Activity – Targeted – Executable File Creation Analytic
  • Also, you can read Advanced ATM Penetration Testing Methods
Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles