The second incident targeted an unnamed commercial bank, according to a SWIFT statement, where malware installed on the SWIFT messaging system was used against the banks' secondary controls, in this case a PDF reader used by the bank to check statement messages. The malware then removed any sign of the breach, SWIFT wrote to its customers. The fact that a second incident has taken place is a sign to security experts that whatever fix was implemented was ineffective and the flaw may still exist.
“News of another incident in which malware was apparently used to cover the tracks of unauthorized banking instructions transmitted by the SWIFT network suggests remediation efforts following February's $81 million Bangladesh reserve bank heist have so far been inadequate,” ESET Senior Security Researcher Stephen Cobb told SCMagazine.com in an email.
SWIFT said its customers have to step up their game and put in place better security.
"In both instances, the attackers have exploited vulnerabilities in banks funds' transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process," SWIFT said.
In February hackers breached the Bangladesh bank's systems, stealing credentials needed to authorize payment transfers from the country's monetary reserves in the Federal Reserve Bank of New York to fraudulent accounts based in the Philippines and Sri Lanka.
Part of the issue mitigating this problem is that none of those involved are certain exactly how the breach occurred, or at least have not said so publicly. SWIFT made the broad comment that it could have been done by an outside gang or conversely it could be inside job. The financial messaging service did give out a few firm details on what transpired saying the attacker compromised the banks' environment by obtaining valid operator credentials and submitting fraudulent messages by impersonating the people from whom the credentials were stolen.
“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both,” Swift wrote.
Cobb added that the malware issue at the heart of the problem already should have been fixed and its banking partners.
“Given that hundreds of millions of dollars are potentially in play with this type of attack, the presence of malware used to obscure transactions should have been dealt with right away, at every participating institution. The abuse of credentials on the system, seemingly essential to initiating the fraudulent messages that move money, should also have been addressed by now,” he said
Other security advisors weighed in with some steps that could be taken to fix the problem at hand and that should be included to protect future transactions on the SWIFT system. This included adding two-factor authentication into the system, relying less on the human element that is involved in making the SWIFT system work and upgrading the SWIFT software.
“Initiation of transfers is still based on trust. The bank is trusting that the user/batch is who they say they are. The problem is that we seem to be missing a key mitigation strategy here; Multi-factor authentication. The attack could have been thwarted with a simple process of authentication using something you have, something you know, and something you are,” said Brad Bussie, director of product management at STEALTHbits Technologies to SCMagazine.com in an email.
Wim Remes, Rapid7's manager of strategic services, EMEA, told SCMagazine.com in an email that SWIFT and the banks each have to make changes.
“The reality is that most likely an upgrade of the SWIFT software would be needed for all clients and potentially changes on the operating system level as well. Between now and the time that every participant in the SWIFT network has gone through this process there is always a risk that one of the participants will be hacked,” Remes said.
SWIFT again put the majority of the onus to fix the problem on the banks saying they should quickly ensure their endpoints are secure.
Cobb agreed with this stance saying any bank could be a target of this type of attack if it uses SWIFT and does not exercise tight control over its own banking credentials and maintain system integrity.
Dave Amsler, president and founder of Raytheon Foreground Security, said sitting back and just playing defense is another mistake being made. He noted that the advanced systems used by criminals are constantly making adjustments to their malware to beat the installed security software.
“There is only one way to find the most sophisticated, damaging cyber threats within a network: proactively hunt for them,” he said.