BB/SWIFT Cyber Attack - An emerging threat - iiauae.org · BB/SWIFT Cyber Attack - An emerging...
Transcript of BB/SWIFT Cyber Attack - An emerging threat - iiauae.org · BB/SWIFT Cyber Attack - An emerging...
Page 2 SWIFT security advisory
Background & Overview
► Recently reported cyber-attack on Bank Bangladesh's on-premise SWIFT system is notable as fraudulent SWIFT messages were sent seeking to transfer $951 million
► $81 million transferred to a bank in Philippines, much of which remains unrecovered
► Accomplished by determined & highly sophisticated cyber criminals using custom Malware and APT techniques
► Reported Malware is found in the wild, variations of this will soon appear in stealth, highly likely to affect banks and financial institutions using SWIFT
► SWIFT has advised clients to review and enhance the Security Controls on the SWIFT infrastructure
► Infiltrators have gone beyond focusing on credit card details
► They have long-term strategies, targeting to interfere with large-scale financial transactions
► Today’s cybercriminals are well-funded, organized with the patience to infiltrate company’s systems over time
► Organizations should consider readiness and impact of such an attack to their own systems and financial assets
► This document provides a brief overview of the security controls recommended for
► Customer implementation of the Customer managed SWIFT interface
► The underlying components required to connect to the SWIFT Network
► Along with EY services and guidance to help clients address this risk
Reconnaissance Weaponization Delivery ExploitationCommand &
ControlFinancial Theft
Payment Systems - Cyber Risk
Infection Risk Business Risk
Infection
This document was created for situational awareness only. It is intended solely for EY clients and should not be shared with any other parties. EY assumes no responsibility to any user of the information contained herein. Research for this product was completed via open source channels. Analysis included in this document is current as of May, 2016, and could change as more information becomes public.
Page 3 SWIFT security advisory
Bangladesh Bank/SWIFT Cyber Attack, 2016
2015 Jan — 2016 Feb — 2016 Latest
May — 2015
► 4 Fake accounts opened at RCBC Bank Manila
► Apparently with fake documents/signatures
Oct — 2015
► Bank Bangladesh (BB) live with major tech upgrade and enables STP/RTGS
► Hackers target BB & send emails with malware attachments
► Malware harvests intelligence, on BB cash payment policy and procedure, transfer order protocol
With stolen credentials, on a BB holiday 4 and 5 Feb
► Hackers generate payment orders using SWIFT to NY Fed
► 35 SWIFT transfers(US$951m) to Sri Lanka/Philippines
► Fed did not process 30 transfers, they did 5 (US$101m)
► 1-Sri Lankan NGO (US$20m), blocked–recipient spelling error
► 4–RCBC Philippines(US$81m) went through
US$81m laundered within Philippines
► Deposited, routed via personal & money remittance company accts
► Subsequently to no. of casino accts in Philippines
► Breached printer at BB-previous day transactions could not be printed and reconciled
► During this time-RCBC branch Security Cameras were out of order
BB noticed discrepancy
► Routing bank query (Deutsche Bank) prompted BB
► Recognized on Sat, could not reach Fed during US weekend
► To complicate things, Mon/Feb 8 — Chinese New Year in Philippines
► Typically high value transactions to casino’s went unnoticed/common
► Per regulations, dollar remittance entering Philippines, has to pass through correspondent banks in US
► In this case, Citi, Wells Fargo, Mellon etc.
► BB issues stop orders
11 Feb
► BB requests Philippines Central Bank for help
29 Feb 2016
► Philippines Court petitioned to freeze accounts at RCBC Bank
► Order issuedon 1 March
► Reports of multiple Banks being hit by similar attacks —especially in Latin America theft upwards of US$10m per bank
► Laundering currently being investigated by Philippine senate
► Two Chinese nationals in the gambling business in Macau and Philippines are being interrogated
► Investigators have identified 12 Philippine and 8 Sri Lankans nationals
Page 4 SWIFT security advisory
Technical account of the Cyber Attack
► Custom malware submitted by user in Bangladesh
► C2 Server based in Egypt (may be a Hijacked Zombie)
► Malware appears to be part of broader attack toolkit and 4 samples identified — seems all files created by same actor(s)
► Recon and suspicious log-in activity
► First log-in on 24 Jan and lasted ~ 60 secs
► Operated as local admin
► Sysmon installed on compromised systems
► Log-in activity until 6 Feb —All for short periods of time
► Forgot to erase SysMon log files one day
► BB Seems to have 2 SWIFT environments
► SWIFTLIVE and SWIFTUAT
► Both were breached
► SWIFTLIVE was connected to 3 Back-office Servers
► Reported Malware
► Found on known malware repository
► Uploaded from Bangladesh, compiled in Jan 2016
► Found to operate within
► SWIFT’s Alliance suite
► Powered by Oracle DB
► Main purpose of Malware seemsto inspect SWIFT messages andused to
► Parse and search certain strings
► Delete specific transactions
► Update transaction amounts
► Tamper balance reportingmessages
► Login monitoring
► Printer manipulation
► Payload was tailor made for this context and demonstrates a very high level of knowledge of
► Business Process
► SWIFT Alliance software
► Malware coding skills
► New Risk as SWIFT recently launched SWIFT Web access —may be the starting point for phishing campaigns to compromise SWIFT credentials (clients using this has to be on high alert)
Page 5 SWIFT security advisory
Security Controls across customer infrastructure
Security controls for the SWIFT Infrastructure
Connectivity Network Segregation
Administration and Application
Accounts
Customer Infrastructur
e
Secure Browsing
Logging Reconciliation
Backups Resilience
What is SWIFT saying …
1 Press release on 25 April 2016
2 No impact on SWIFT’s network or core messaging services
3 Malware is designed to hide traces of fraudulent payments from customers’ local DB
4Can only be installed on users’ local systems after successfully identifying and exploiting weaknesses in their local security
5Key defense remains for users to implement appropriate security measures in their local environments — in particular those used to access SWIFT
6Protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems
Page 6 SWIFT security advisory
Key Observations and TakeawaysIn hindsight, there are a number of security lessons to be learnt by studying this incident
Observations Takeaways
► As much as they're overhyped, Zero day APT attacks are a reality
► Notionally, a private network & historically considered fully secure - this attack challenges that assumption
► Attackers carefully planned evasion eg: using Sysmon for Recon/erasing logs
► Incidents unfold in a very slow manner
► Protection, Detection and Response capabilities are equally important
► Effectiveness and adequacy of Basic Operational security and Internal controls are fundamental
► Technology transitions can introduce Vulnerabilities & Threats
► Typical SWIFT reviews are focused on Application or IT General Controls— does not include all environment risks of SWIFT
► Shows careful and advanced planning
► Accounts were opened last year
► Money laundered through casinos in Philippines & are exempt from reporting suspicious transactions, making them attractive for this type of crime
► Business checks were evaded by tampering with IT Systems
► Profile of organization does not matter it is the Potential of the attack
► Limited understanding of the shared responsibility between clients and SWIFT
Page 7 SWIFT security advisory
Key questions for the board and C-Suite Have you considered how a similar Cyber Attack could impact your bank
2
3
1
4
Readiness and transparency
When was the recent SWIFT/Fund Transfer Process Audit done?
What were the previously identified concerns/deficiencies and management's actions to correct audit observations?
How thoroughly have we assessed our SWIFT cyber risk?
When and what was the recent changes to SWIFT system or EFT activities?
1
2
Detection and response
What monitoring and detecting processes are in place?
Have we exercised our ability to respond to a cyber attack — up to Board level?
Page 8 SWIFT security advisory
Re-align
Know your environment and check gaps
Assume breaches will occur
Bring in an independent specialist to help
Re-fresh
EY recommends a five step continuous improvement process to effectively manage cyber attack risk
2
1
4
5
3
► Ensure Management & Board understands current security posture of SWIFT Environment
► Enhance protection where possible
1. Funds transfer process analysis
2. Dataflow analysis — Trace SWIFT messaging data from points of input to points of output/Determine all places where msgdata originates, is transported, and stored
3. Classic IT Controls — Access and Change Review
4. Technical security assessment of SWIFT infrastructure:
Perform Pro-active, Structured and “Context Aware” Cyber Assessment — with knowledge of
► Business Process
► Applications in use
► Underlying Infrastructure
► Traffic Patterns and
► User activity
a. Minimum Review
i. Security of all systems and locations where you receive or send data to SWIFT System
ii. Host platform vulnerabilities and Communication
iii. Network Architecture and Segregation
iv. Monitoring activity on individual systems & network
b. Complex — Anomaly Detection
i. Perform Network traffic behavior anomaly analysis to identify unusual events or trends
ii. Co-relate Traffic Flow Patterns and Network Performance Data
iii. Review unusual patterns of computing and user activity
Create or improve SWIFT Specific response plan
► Document or Update your escalation points and Incident response contacts
► Develop do's and don’ts post breach detection
Use external team with strong Business & Security expertise to
► Identify weaknesses in SWIFT Controls and Security
► Provide an objective opinion on the Security Posture
► Expand SWIFT audit to cover all components of SWIFT Environment — beyondapplication & general controls
► Increase frequency of SWIFT review to include Pen Testing & detailed technical review
► Consider Outsourcing SWIFT IT Operations to enhance on-premise security
► Identify granular Controls for Hosts, Network and End points part of SWIFT Infrastructure
► Enrich security Monitoring of the SWIFT environment
► Test your incident response process
► Document dispute management process
► Enhance security log data collection and storage process — e.g.: commit all SWIFT logs to another server
► Start building baseline for Behavioral Anomaly detection
► Use Payment Analytics for fraud detection
Page 9 SWIFT security advisory
In-houseSWIFTNetconnectivity infrastructure owned and operated by the customer
What constitutes a SWIFT Environment varies by bank
Who uses it
Users
Applications
Alliance Access► On-site deployment of SWIFT alliance suite
Or
► Via Third Party (E.g., Eastnets)
How SWIFT in customer premises
Messaging software
Communications software
Network connection
Financial application
Alliance workstation
Webbrowser
Financial application
Alliance workstation
SWIFTNet
Middleware
Alliance Access, Alliance Entry, Alliance Messenger (MT and MX
Alliance gateway
Alliance Workstation/Web Station/Web Platform
SWIFTNet Link
Third party application& User layer
Users
Service BureauSWIFTNetconnectivity infrastructure owned and operated by a third-party
Users Service Bureau
HSM
VPN
Apps
Apps
HSM
VPN SWIFTNet
SWIFTNet
ProductionTest &
Development
Disaster Recovery Site
Page 10 SWIFT security advisory
Security Controls of the SWIFT Environment that is on premise is the clients responsibility
Upgrades
Housekeeping
Monitor and troubleshoot
Message management
SWIFT will monitor
► FIN and SWIFTNet connections
► Related SWIFT hardware (HSM and VPN boxes)
► Severe and critical events affecting your Alliance interfaces
Troubleshooting and problem investigation
Housekeeping
Release and change management
SWIFT environment is managed with a shared responsibility
Scenario — 1: Customer managed Scenario — 2: Swift AMO (if Opted)
Business Applicatio
n
SWIFT Managed
Mid
dle
wa
re
Business Applicatio
n
Alliance Gateway
HSM
Your premises
SNL
SWIFT Managed
Mid
dle
wa
re
Alliance Access
VPN
Alliance Web Platform
Alliance Gateway
HSM
Your premises
SNL
Alliance Access
VPN
Alliance Web Platform
Page 12 SWIFT security advisory
EY Security Assessment services for SWIFT security
Context building
SWIFT Interface Controls 3
End-Point SecurityHost and Database Security Network Security
Technical Controls4
Payments Business Process ReviewChange ControlsAccess Controls Logging and Retention
1
SWIFT IT Application Controls2
Monitoring of SWIFT Environment Incident Handling Capability
Detection and Response Controls5
Advanced Discovery
Network anomaly detection using Traffic pattern analysis DLP Review Security Testing
6
Page 13 SWIFT security advisory
EY Services Our approach and methodologyWe recommend a four stage approach for implementation of SWIFT security
Program management
Phase I: Planning and set-up Phase II: Review Phase III: Remediation Phase IV: Improvement
Establish a team Security & Internal Controls professionals
Review security controls, potential attack vectors and vulnerabilities and customer awareness
Based on review results, provide recommendations to remediate the identified gaps
Continuously improve on the current approach based on ITIL principles of “PDCA” (Plan — Do — Check — Act)
► Define the scope of review
► Convert guidelines into review checklist
Scoping
► Identify in-scope systems and assets
Identification
► Assess and evaluate the current state of firm’s posture w.r.t the guidance
As-Is analysis
► Conduct risk assessment to identify and evaluate risks to cyber-security
Assessment
► Build a “to-Be” state based on SWIFT guidance document
To-Be profile
► Perform gap analysis by comparing As-Is against To-Be state
► Recommend remediation measures
Gap analysis
► Assist management in deploying in missing or enhance existing controls
Implement
Page 14 SWIFT security advisory
EY SWIFT Security Assessment services – Detailed Approach
Context building
► Inventory SWIFT Environment
► Understand SWIFT Message Data Flow
► Recent upgrades that is likely to affect SWIFT
► Recent Change log
► CMDB Data
► SWIFT related Help Desk Tickets
► Previous Audit reports of SWIFT application and funds transfer process
a. Review of Inward and outward fund transfer process(es) through SWIFT
► Study of existing Inward and outward remittance processes implemented for transfer
► Identify the applications and the associated interfaces with SWIFT
► Identify the gaps in existing transfer processes (if any)
b. Review of exception handling process for inward and outward remittance
► Study the existing exception handling process for inward and outward remittance
► Identify the possible scenarios for wire transfer and related exception process as applicable
► Identify and document key gaps in overall exception handling process
1 . Payments Business Process Review 2. SWIFT - IT Application Controls
a. Review of roles and responsibilities of users as defined in SWIFT
► Study existing roles and corresponding access privileges defined in context of SWIFT network
► Assess existence of any access conflicts/privilege conflicts in the roles vis-à-vis the users that have been granted the roles
► Identify and report gaps (if any)
b. Review of SWIFT creation procedures
► Understand user access process for SWIFT message creation which includes but is not limited to
► User access process to create SWIFT users who have rights to create SWIFT messages
► What type of SWIFT messages are generated
► Processes/Protocols to be followed, Pre and post creation of SWIFT messages
► Identify and document key gaps (if any)
c. Review of retention policy
► Understand current retention policy for existing transfer of customer documents
3. SWIFT Interface Controls
a. Understand the nature of interfaces, frequency of data exchange (real-time, monthly, weekly etc.), method of data exchange (batch process, real time etc.)
► Develop data flows to identify the nature of data exchanged via the interfaces
► Assess the data transformation/changes to data based on the nature of applications
Page 15 SWIFT security advisory
EY SWIFT Security Assessment services – Detailed Approach (contd)
4. Technical Controls
Assessment of
► Appropriate segregation in SWIFT Hosts and End-point network segment
► SWIFT Hosts placement in the network and the communication to and from the hosts to other systems
► Hardening configuration of network devices part of the SWIFT Network
Review of (covering OS, Database, Application and Select End-points)
► Patch Levels
► Services/registry Settings
► Security Baseline
► Logging and Auditing Settings
► Access Controls
4.a 4.b
5. Monitoring and Incident Handling
Review the monitoring coverage and scope of SWIFT Environment:
► Monitoring SWIFT Suite sessions
► Login details of all connected parties
► Message traffic, i.e., no of messages in queues/overflow etc.
► Event journals
► System processes, utilization of Hard Disk etc.
5.b5.a
Review of Incident Response as applicable to SWIFT breach/ Compromise:
► Policy
► Response Plan
► Communications & Team
► Testing
Page 16 SWIFT security advisory
EY SWIFT Security Assessment services – Detailed Approach (contd)
► For Orgs with DLP — Review DLP Rules and Coverage to alert Swift Specific Data Exfiltration
► If DLP is not present — Temporarily connect to client network a specialized device and monitor data traffic
► Analysis and interpretation of accumulated results
Perform Network Traffic Anomaly Detection using OOB Appliance Deployment/Log Ingestion into a tool to identify systems compromised by an external threat actor or infected with malware:
► Provide awareness to active command and control (C2)
► Detect previously unidentified infections
► Deliver highly actionable intelligence
► Assist in prioritizing discovered infections
a. Simulate Security Testing activities involved in SIWFT Cyber Attack
► Connecting to C&C center
► Changes in SWIFT DLL
► SWIFT message monitoring
► SWIFT Login monitoring
► Printer manipulation
b. Penetration testing for interfaces of the Bidirectional and Unidirectional applications connecting to SWIFT
c. Grey-box/Black-box web application security assessment of applications —SWIFT Alliance and Alliance Gateway and other SWIFT applications in use
6.a Network Anomaly Detection 6.a DLP Review 6.d Penetration Testing
6. Advanced Discovery
Page 18 SWIFT security advisory
United Arab Emirates
Nation Tower 2
Corniche
Abu Dhabi 136
ARE
phone: + 971 2 6277522
fax: + 971 2 6273383
28th Floor, Al Attar Business
Tower
Sheikh Zayed Road
P.O. Box 9267
9267 Dubai
phone: + 971 4 3324000
fax: + 971 4 3324004
Saudi Arabia
13th Floor, King's Road Tower,
King Abdulaziz Road (Malek
Road)
Al Shatea District
Jeddah 21441
1994 Jeddah
phone: + 966 2 221 8400
fax: + 966 2 221 8575
Levels 6 and 14, Al Faisaliah
Office Tower
Al Faisaliah Office Tower
King Fahad Road, Olaya
P.O.Box 2732
11461 Riyadh
phone: + 966 1 2734740
fax: + 966 1 2734730
Flour Building — 4th floor
AlKhobar 31952
Saudi Arabia
3795 Saudi Arabia
phone: + 96 6 3849 9500
fax: + 96 6 3882 7224
Kuwait
Baitak Tower, 18–21st Floor
Safat Square
Ahmed Al Jabber Street
P.O. Box 74
13001 Safat
phone: + 96 5 2295 5000
fax: + 96 5 2245 6419
Qatar
Al Gassar Tower
Majlis Al Taawon Street
West Bay, 164 Doha
phone: + 974 4457 4111
fax: + 974 4441 4649
Oman
3rd and 4th Floor EY
Building
Al Qurum, Opposite CCC
P.O. Box 1750, Ruwi
112 Muscat
phone: + 968 24 559559
fax: + 968 24 566043
Bahrain
14th floor
Bahrain Commercial Complex.
Manama
140 Manama
phone: + 97317535455
fax: + 97 3 1753 5405
Jordan
300 King Abdulla street, 8th circle
Amman — Jordan
P.O.Box 1140
11118 Amman
phone: + 96 2 6580 0777
fax: + 96 2 6553 8300
Egypt
Ring Road,Zone #10A
Rama Tower
P.O. Box 20
Kattameya
11936 Cairo
phone: + 202 27260260
fax: + 202 27260100
Libya
Bashir Al-lbrahimi Street
Yaser Arafat Square
91873 Tripoli
phone: + 218 213344130
fax: + 218 213344372
Pakistan
3rd Floor, Eagle Plaza
75-west, Fazal-ul-Haq Road
Blue Area
44000 Islamabad
phone: + 92 51 2344160/
+ 92 51 2344161
fax: + 92 51 2344163
601, Progressive Plaza
Beaumont Road
75530 Karachi
phone: + 92 21 35650007
fax: + 92 21 35681965
96–B/1 Pace Mall Building
4th Floor, M. M. Alam Road
Gulberg II
54660 Lahore
phone: + 92 42 35778402
fax: + 92 42 35778412
Iraq
Block 609, Street 3, Villa 23
Al-Ameerat Street, Al-Mansour,
phone: + 964 1 543 0357
fax: + 964 1 543 9859
Gulan St. English Village/Villa —
284
Erbil — Kurdistan Region
phone: + 964 662575777
Afghanistan
House 1013
Street 2
Shirpoor Road
phone: + 93 75 2055025
Lebanon
Commerce and Finance Bldg.,
1st Floor
P.O.Box: 11–1639, Riad Solh
Army Street
Kantari
11072–090 Beirut
phone: + 961 1 760 800
fax: + 96 1 1760 822/3
Palestine
P.O Box 1373
7th Floor, PADICO House Bldg.
Al Masyoun
1373 Ramallah
phone: + 970 2 2421011
fax: + 970 2 2422324
5th Floor — Rouya 4–8th Gate
Yafoor
phone: + 96 39 4422 7402
fax: + 96 31 1611 3006
EY MENA offices
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital markets
and in economies the world over. We develop outstanding
leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a
better working world for our people, for our clients and for our
communities
EY refers to the global organization, and may refer to one or
more, of the member firms of Ernst & Young Global Limited,
each of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not
provide services to clients. For more information about our
organization, please visit ey.com.
The MENA practice of EY has been operating in the region
since 1923. For over 90 years, we have grown to over 6,000
people united across 20 offices and 15 countries, sharing the
same values and an unwavering commitment to quality. As
an organization, we continue to develop outstanding leaders
who deliver exceptional services to our clients and who
contribute to our communities. We are proud of our
accomplishments over the years, reaffirming our position as
the largest and most established professional services
organization in the region.
© 2016 EYGM Limited.
All Rights Reserved.
ED None
This material has been prepared for general informational purposes only and is
not intended to be relied upon as accounting, tax, or other professional advice.
Please refer to your advisors for specific advice.
ey.com/mena