BB/SWIFT Cyber Attack -An emerging threat

Guidance and offerings14 May 2016

Page 2 SWIFT security advisory

Background & Overview

► Recently reported cyber-attack on Bank Bangladesh's on-premise SWIFT system is notable as fraudulent SWIFT messages were sent seeking to transfer $951 million

► $81 million transferred to a bank in Philippines, much of which remains unrecovered

► Accomplished by determined & highly sophisticated cyber criminals using custom Malware and APT techniques

► Reported Malware is found in the wild, variations of this will soon appear in stealth, highly likely to affect banks and financial institutions using SWIFT

► SWIFT has advised clients to review and enhance the Security Controls on the SWIFT infrastructure

► Infiltrators have gone beyond focusing on credit card details

► They have long-term strategies, targeting to interfere with large-scale financial transactions

► Today’s cybercriminals are well-funded, organized with the patience to infiltrate company’s systems over time

► Organizations should consider readiness and impact of such an attack to their own systems and financial assets

► This document provides a brief overview of the security controls recommended for

► Customer implementation of the Customer managed SWIFT interface

► The underlying components required to connect to the SWIFT Network

► Along with EY services and guidance to help clients address this risk

Reconnaissance Weaponization Delivery ExploitationCommand &

ControlFinancial Theft

Payment Systems - Cyber Risk

Infection Risk Business Risk

Infection

This document was created for situational awareness only. It is intended solely for EY clients and should not be shared with any other parties. EY assumes no responsibility to any user of the information contained herein. Research for this product was completed via open source channels. Analysis included in this document is current as of May, 2016, and could change as more information becomes public.

Page 3 SWIFT security advisory

Bangladesh Bank/SWIFT Cyber Attack, 2016

2015 Jan — 2016 Feb — 2016 Latest

May — 2015

► 4 Fake accounts opened at RCBC Bank Manila

► Apparently with fake documents/signatures

Oct — 2015

► Bank Bangladesh (BB) live with major tech upgrade and enables STP/RTGS

► Hackers target BB & send emails with malware attachments

► Malware harvests intelligence, on BB cash payment policy and procedure, transfer order protocol

With stolen credentials, on a BB holiday 4 and 5 Feb

► Hackers generate payment orders using SWIFT to NY Fed

► 35 SWIFT transfers(US$951m) to Sri Lanka/Philippines

► Fed did not process 30 transfers, they did 5 (US$101m)

► 1-Sri Lankan NGO (US$20m), blocked–recipient spelling error

► 4–RCBC Philippines(US$81m) went through

US$81m laundered within Philippines

► Deposited, routed via personal & money remittance company accts

► Subsequently to no. of casino accts in Philippines

► Breached printer at BB-previous day transactions could not be printed and reconciled

► During this time-RCBC branch Security Cameras were out of order

BB noticed discrepancy

► Routing bank query (Deutsche Bank) prompted BB

► Recognized on Sat, could not reach Fed during US weekend

► To complicate things, Mon/Feb 8 — Chinese New Year in Philippines

► Typically high value transactions to casino’s went unnoticed/common

► Per regulations, dollar remittance entering Philippines, has to pass through correspondent banks in US

► In this case, Citi, Wells Fargo, Mellon etc.

► BB issues stop orders

11 Feb

► BB requests Philippines Central Bank for help

29 Feb 2016

► Philippines Court petitioned to freeze accounts at RCBC Bank

► Order issuedon 1 March

► Reports of multiple Banks being hit by similar attacks —especially in Latin America theft upwards of US$10m per bank

► Laundering currently being investigated by Philippine senate

► Two Chinese nationals in the gambling business in Macau and Philippines are being interrogated

► Investigators have identified 12 Philippine and 8 Sri Lankans nationals

Page 4 SWIFT security advisory

Technical account of the Cyber Attack

► Custom malware submitted by user in Bangladesh

► C2 Server based in Egypt (may be a Hijacked Zombie)

► Malware appears to be part of broader attack toolkit and 4 samples identified — seems all files created by same actor(s)

► Recon and suspicious log-in activity

► First log-in on 24 Jan and lasted ~ 60 secs

► Operated as local admin

► Sysmon installed on compromised systems

► Log-in activity until 6 Feb —All for short periods of time

► Forgot to erase SysMon log files one day

► BB Seems to have 2 SWIFT environments

► SWIFTLIVE and SWIFTUAT

► Both were breached

► SWIFTLIVE was connected to 3 Back-office Servers

► Reported Malware

► Found on known malware repository

► Uploaded from Bangladesh, compiled in Jan 2016

► Found to operate within

► SWIFT’s Alliance suite

► Powered by Oracle DB

► Main purpose of Malware seemsto inspect SWIFT messages andused to

► Parse and search certain strings

► Delete specific transactions

► Update transaction amounts

► Tamper balance reportingmessages

► Login monitoring

► Printer manipulation

► Payload was tailor made for this context and demonstrates a very high level of knowledge of

► Business Process

► SWIFT Alliance software

► Malware coding skills

► New Risk as SWIFT recently launched SWIFT Web access —may be the starting point for phishing campaigns to compromise SWIFT credentials (clients using this has to be on high alert)

Page 5 SWIFT security advisory

Security Controls across customer infrastructure

Security controls for the SWIFT Infrastructure

Connectivity Network Segregation

Administration and Application

Accounts

Customer Infrastructur

e

Secure Browsing

Logging Reconciliation

Backups Resilience

What is SWIFT saying …

1 Press release on 25 April 2016

2 No impact on SWIFT’s network or core messaging services

3 Malware is designed to hide traces of fraudulent payments from customers’ local DB

4Can only be installed on users’ local systems after successfully identifying and exploiting weaknesses in their local security

5Key defense remains for users to implement appropriate security measures in their local environments — in particular those used to access SWIFT

6Protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems

Page 6 SWIFT security advisory

Key Observations and TakeawaysIn hindsight, there are a number of security lessons to be learnt by studying this incident

Observations Takeaways

► As much as they're overhyped, Zero day APT attacks are a reality

► Notionally, a private network & historically considered fully secure - this attack challenges that assumption

► Attackers carefully planned evasion eg: using Sysmon for Recon/erasing logs

► Incidents unfold in a very slow manner

► Protection, Detection and Response capabilities are equally important

► Effectiveness and adequacy of Basic Operational security and Internal controls are fundamental

► Technology transitions can introduce Vulnerabilities & Threats

► Typical SWIFT reviews are focused on Application or IT General Controls— does not include all environment risks of SWIFT

► Shows careful and advanced planning

► Accounts were opened last year

► Money laundered through casinos in Philippines & are exempt from reporting suspicious transactions, making them attractive for this type of crime

► Business checks were evaded by tampering with IT Systems

► Profile of organization does not matter it is the Potential of the attack

► Limited understanding of the shared responsibility between clients and SWIFT

Page 7 SWIFT security advisory

Key questions for the board and C-Suite Have you considered how a similar Cyber Attack could impact your bank

2

3

1

4

Readiness and transparency

When was the recent SWIFT/Fund Transfer Process Audit done?

What were the previously identified concerns/deficiencies and management's actions to correct audit observations?

How thoroughly have we assessed our SWIFT cyber risk?

When and what was the recent changes to SWIFT system or EFT activities?

1

2

Detection and response

What monitoring and detecting processes are in place?

Have we exercised our ability to respond to a cyber attack — up to Board level?

Page 8 SWIFT security advisory

Re-align

Know your environment and check gaps

Assume breaches will occur

Bring in an independent specialist to help

Re-fresh

EY recommends a five step continuous improvement process to effectively manage cyber attack risk

2

1

4

5

3

► Ensure Management & Board understands current security posture of SWIFT Environment

► Enhance protection where possible

1. Funds transfer process analysis

2. Dataflow analysis — Trace SWIFT messaging data from points of input to points of output/Determine all places where msgdata originates, is transported, and stored

3. Classic IT Controls — Access and Change Review

4. Technical security assessment of SWIFT infrastructure:

Perform Pro-active, Structured and “Context Aware” Cyber Assessment — with knowledge of

► Business Process

► Applications in use

► Underlying Infrastructure

► Traffic Patterns and

► User activity

a. Minimum Review

i. Security of all systems and locations where you receive or send data to SWIFT System

ii. Host platform vulnerabilities and Communication

iii. Network Architecture and Segregation

iv. Monitoring activity on individual systems & network

b. Complex — Anomaly Detection

i. Perform Network traffic behavior anomaly analysis to identify unusual events or trends

ii. Co-relate Traffic Flow Patterns and Network Performance Data

iii. Review unusual patterns of computing and user activity

Create or improve SWIFT Specific response plan

► Document or Update your escalation points and Incident response contacts

► Develop do's and don’ts post breach detection

Use external team with strong Business & Security expertise to

► Identify weaknesses in SWIFT Controls and Security

► Provide an objective opinion on the Security Posture

► Expand SWIFT audit to cover all components of SWIFT Environment — beyondapplication & general controls

► Increase frequency of SWIFT review to include Pen Testing & detailed technical review

► Consider Outsourcing SWIFT IT Operations to enhance on-premise security

► Identify granular Controls for Hosts, Network and End points part of SWIFT Infrastructure

► Enrich security Monitoring of the SWIFT environment

► Test your incident response process

► Document dispute management process

► Enhance security log data collection and storage process — e.g.: commit all SWIFT logs to another server

► Start building baseline for Behavioral Anomaly detection

► Use Payment Analytics for fraud detection

Page 9 SWIFT security advisory

In-houseSWIFTNetconnectivity infrastructure owned and operated by the customer

What constitutes a SWIFT Environment varies by bank

Who uses it

Users

Applications

Alliance Access► On-site deployment of SWIFT alliance suite

Or

► Via Third Party (E.g., Eastnets)

How SWIFT in customer premises

Messaging software

Communications software

Network connection

Financial application

Alliance workstation

Webbrowser

Financial application

Alliance workstation

SWIFTNet

Middleware

Alliance Access, Alliance Entry, Alliance Messenger (MT and MX

Alliance gateway

Alliance Workstation/Web Station/Web Platform

SWIFTNet Link

Third party application& User layer

Users

Service BureauSWIFTNetconnectivity infrastructure owned and operated by a third-party

Users Service Bureau

HSM

VPN

Apps

Apps

HSM

VPN SWIFTNet

SWIFTNet

ProductionTest &

Development

Disaster Recovery Site

Page 10 SWIFT security advisory

Security Controls of the SWIFT Environment that is on premise is the clients responsibility

Upgrades

Housekeeping

Monitor and troubleshoot

Message management

SWIFT will monitor

► FIN and SWIFTNet connections

► Related SWIFT hardware (HSM and VPN boxes)

► Severe and critical events affecting your Alliance interfaces

Troubleshooting and problem investigation

Housekeeping

Release and change management

SWIFT environment is managed with a shared responsibility

Scenario — 1: Customer managed Scenario — 2: Swift AMO (if Opted)

Business Applicatio

n

SWIFT Managed

Mid

dle

wa

re

Business Applicatio

n

Alliance Gateway

HSM

Your premises

SNL

SWIFT Managed

Mid

dle

wa

re

Alliance Access

VPN

Alliance Web Platform

Alliance Gateway

HSM

Your premises

SNL

Alliance Access

VPN

Alliance Web Platform

How can EY help

Page 12 SWIFT security advisory

EY Security Assessment services for SWIFT security

Context building

SWIFT Interface Controls 3

End-Point SecurityHost and Database Security Network Security

Technical Controls4

Payments Business Process ReviewChange ControlsAccess Controls Logging and Retention

1

SWIFT IT Application Controls2

Monitoring of SWIFT Environment Incident Handling Capability

Detection and Response Controls5

Advanced Discovery

Network anomaly detection using Traffic pattern analysis DLP Review Security Testing

6

Page 13 SWIFT security advisory

EY Services Our approach and methodologyWe recommend a four stage approach for implementation of SWIFT security

Program management

Phase I: Planning and set-up Phase II: Review Phase III: Remediation Phase IV: Improvement

Establish a team Security & Internal Controls professionals

Review security controls, potential attack vectors and vulnerabilities and customer awareness

Based on review results, provide recommendations to remediate the identified gaps

Continuously improve on the current approach based on ITIL principles of “PDCA” (Plan — Do — Check — Act)

► Define the scope of review

► Convert guidelines into review checklist

Scoping

► Identify in-scope systems and assets

Identification

► Assess and evaluate the current state of firm’s posture w.r.t the guidance

As-Is analysis

► Conduct risk assessment to identify and evaluate risks to cyber-security

Assessment

► Build a “to-Be” state based on SWIFT guidance document

To-Be profile

► Perform gap analysis by comparing As-Is against To-Be state

► Recommend remediation measures

Gap analysis

► Assist management in deploying in missing or enhance existing controls

Implement

Page 14 SWIFT security advisory

EY SWIFT Security Assessment services – Detailed Approach

Context building

► Inventory SWIFT Environment

► Understand SWIFT Message Data Flow

► Recent upgrades that is likely to affect SWIFT

► Recent Change log

► CMDB Data

► SWIFT related Help Desk Tickets

► Previous Audit reports of SWIFT application and funds transfer process

a. Review of Inward and outward fund transfer process(es) through SWIFT

► Study of existing Inward and outward remittance processes implemented for transfer

► Identify the applications and the associated interfaces with SWIFT

► Identify the gaps in existing transfer processes (if any)

b. Review of exception handling process for inward and outward remittance

► Study the existing exception handling process for inward and outward remittance

► Identify the possible scenarios for wire transfer and related exception process as applicable

► Identify and document key gaps in overall exception handling process

1 . Payments Business Process Review 2. SWIFT - IT Application Controls

a. Review of roles and responsibilities of users as defined in SWIFT

► Study existing roles and corresponding access privileges defined in context of SWIFT network

► Assess existence of any access conflicts/privilege conflicts in the roles vis-à-vis the users that have been granted the roles

► Identify and report gaps (if any)

b. Review of SWIFT creation procedures

► Understand user access process for SWIFT message creation which includes but is not limited to

► User access process to create SWIFT users who have rights to create SWIFT messages

► What type of SWIFT messages are generated

► Processes/Protocols to be followed, Pre and post creation of SWIFT messages

► Identify and document key gaps (if any)

c. Review of retention policy

► Understand current retention policy for existing transfer of customer documents

3. SWIFT Interface Controls

a. Understand the nature of interfaces, frequency of data exchange (real-time, monthly, weekly etc.), method of data exchange (batch process, real time etc.)

► Develop data flows to identify the nature of data exchanged via the interfaces

► Assess the data transformation/changes to data based on the nature of applications

Page 15 SWIFT security advisory

EY SWIFT Security Assessment services – Detailed Approach (contd)

4. Technical Controls

Assessment of

► Appropriate segregation in SWIFT Hosts and End-point network segment

► SWIFT Hosts placement in the network and the communication to and from the hosts to other systems

► Hardening configuration of network devices part of the SWIFT Network

Review of (covering OS, Database, Application and Select End-points)

► Patch Levels

► Services/registry Settings

► Security Baseline

► Logging and Auditing Settings

► Access Controls

4.a 4.b

5. Monitoring and Incident Handling

Review the monitoring coverage and scope of SWIFT Environment:

► Monitoring SWIFT Suite sessions

► Login details of all connected parties

► Message traffic, i.e., no of messages in queues/overflow etc.

► Event journals

► System processes, utilization of Hard Disk etc.

5.b5.a

Review of Incident Response as applicable to SWIFT breach/ Compromise:

► Policy

► Response Plan

► Communications & Team

► Testing

Page 16 SWIFT security advisory

EY SWIFT Security Assessment services – Detailed Approach (contd)

► For Orgs with DLP — Review DLP Rules and Coverage to alert Swift Specific Data Exfiltration

► If DLP is not present — Temporarily connect to client network a specialized device and monitor data traffic

► Analysis and interpretation of accumulated results

Perform Network Traffic Anomaly Detection using OOB Appliance Deployment/Log Ingestion into a tool to identify systems compromised by an external threat actor or infected with malware:

► Provide awareness to active command and control (C2)

► Detect previously unidentified infections

► Deliver highly actionable intelligence

► Assist in prioritizing discovered infections

a. Simulate Security Testing activities involved in SIWFT Cyber Attack

► Connecting to C&C center

► Changes in SWIFT DLL

► SWIFT message monitoring

► SWIFT Login monitoring

► Printer manipulation

b. Penetration testing for interfaces of the Bidirectional and Unidirectional applications connecting to SWIFT

c. Grey-box/Black-box web application security assessment of applications —SWIFT Alliance and Alliance Gateway and other SWIFT applications in use

6.a Network Anomaly Detection 6.a DLP Review 6.d Penetration Testing

6. Advanced Discovery

Find out more

Page 18 SWIFT security advisory

United Arab Emirates

Nation Tower 2

Corniche

Abu Dhabi 136

ARE

phone: + 971 2 6277522

fax: + 971 2 6273383

AbuDhabi@ae.ey.com

28th Floor, Al Attar Business

Tower

Sheikh Zayed Road

P.O. Box 9267

9267 Dubai

phone: + 971 4 3324000

fax: + 971 4 3324004

Dubai@ae.ey.com

Saudi Arabia

13th Floor, King's Road Tower,

King Abdulaziz Road (Malek

Road)

Al Shatea District

Jeddah 21441

1994 Jeddah

phone: + 966 2 221 8400

fax: + 966 2 221 8575

jeddah@sa.ey.com

Levels 6 and 14, Al Faisaliah

Office Tower

Al Faisaliah Office Tower

King Fahad Road, Olaya

P.O.Box 2732

11461 Riyadh

phone: + 966 1 2734740

fax: + 966 1 2734730

riyadh@sa.ey.com

Flour Building — 4th floor

AlKhobar 31952

Saudi Arabia

3795 Saudi Arabia

phone: + 96 6 3849 9500

fax: + 96 6 3882 7224

alkhobar@sa.ey.com

Kuwait

Baitak Tower, 18–21st Floor

Safat Square

Ahmed Al Jabber Street

P.O. Box 74

13001 Safat

phone: + 96 5 2295 5000

fax: + 96 5 2245 6419

Kuwait@kw.ey.com

Qatar

Al Gassar Tower

Majlis Al Taawon Street

West Bay, 164 Doha

phone: + 974 4457 4111

fax: + 974 4441 4649

Doha@qa.ey.com

Oman

3rd and 4th Floor EY

Building

Al Qurum, Opposite CCC

P.O. Box 1750, Ruwi

112 Muscat

phone: + 968 24 559559

fax: + 968 24 566043

muscat@om.ey.com

Bahrain

14th floor

Bahrain Commercial Complex.

Manama

140 Manama

phone: + 97317535455

fax: + 97 3 1753 5405

Manama@bh.ey.com

Jordan

300 King Abdulla street, 8th circle

Amman — Jordan

P.O.Box 1140

11118 Amman

phone: + 96 2 6580 0777

fax: + 96 2 6553 8300

amman@jo.ey.com

Egypt

Ring Road,Zone #10A

Rama Tower

P.O. Box 20

Kattameya

11936 Cairo

phone: + 202 27260260

fax: + 202 27260100

cairo.office@eg.ey.com

Libya

Bashir Al-lbrahimi Street

Yaser Arafat Square

91873 Tripoli

phone: + 218 213344130

fax: + 218 213344372

libya@ly.ey.com

Pakistan

3rd Floor, Eagle Plaza

75-west, Fazal-ul-Haq Road

Blue Area

44000 Islamabad

phone: + 92 51 2344160/

+ 92 51 2344161

fax: + 92 51 2344163

eyfrsh.isb@pk.ey.com

601, Progressive Plaza

Beaumont Road

75530 Karachi

phone: + 92 21 35650007

fax: + 92 21 35681965

eyfrsh.khi@pk.ey.com

96–B/1 Pace Mall Building

4th Floor, M. M. Alam Road

Gulberg II

54660 Lahore

phone: + 92 42 35778402

fax: + 92 42 35778412

eyfrsh.lhr@pk.ey.com

Iraq

Block 609, Street 3, Villa 23

Al-Ameerat Street, Al-Mansour,

phone: + 964 1 543 0357

fax: + 964 1 543 9859

Baghdad.Iraq@iq.ey.com

Gulan St. English Village/Villa —

284

Erbil — Kurdistan Region

phone: + 964 662575777

Afghanistan

House 1013

Street 2

Shirpoor Road

phone: + 93 75 2055025

eyfrsh.kab@pk.ey.com

Lebanon

Commerce and Finance Bldg.,

1st Floor

P.O.Box: 11–1639, Riad Solh

Army Street

Kantari

11072–090 Beirut

phone: + 961 1 760 800

fax: + 96 1 1760 822/3

Beirut@lb.ey.com

Palestine

P.O Box 1373

7th Floor, PADICO House Bldg.

Al Masyoun

1373 Ramallah

phone: + 970 2 2421011

fax: + 970 2 2422324

Ramallah.Office@ps.ey.comSyria

5th Floor — Rouya 4–8th Gate

Yafoor

phone: + 96 39 4422 7402

fax: + 96 31 1611 3006

damascus@sy.ey.com

EY MENA offices

Thank you

EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and

advisory services. The insights and quality services we

deliver help build trust and confidence in the capital markets

and in economies the world over. We develop outstanding

leaders who team to deliver on our promises to all of our

stakeholders. In so doing, we play a critical role in building a

better working world for our people, for our clients and for our

communities

EY refers to the global organization, and may refer to one or

more, of the member firms of Ernst & Young Global Limited,

each of which is a separate legal entity. Ernst & Young Global

Limited, a UK company limited by guarantee, does not

provide services to clients. For more information about our

organization, please visit ey.com.

The MENA practice of EY has been operating in the region

since 1923. For over 90 years, we have grown to over 6,000

people united across 20 offices and 15 countries, sharing the

same values and an unwavering commitment to quality. As

an organization, we continue to develop outstanding leaders

who deliver exceptional services to our clients and who

contribute to our communities. We are proud of our

accomplishments over the years, reaffirming our position as

the largest and most established professional services

organization in the region.

© 2016 EYGM Limited.

All Rights Reserved.

ED None

This material has been prepared for general informational purposes only and is

not intended to be relied upon as accounting, tax, or other professional advice.

Please refer to your advisors for specific advice.

ey.com/mena