Cosmos Bank SWIFT/ATM US$13.5 Million Cyber Attack Detection Using Security Analytics

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

Securonix Threat Research:

COSMOS BANK
SWIFT/ATM US$13.5
MILLION CYBER
ATTACK DETECTION
USING SECURITY
ANALYTICS
Oleg Kolesnikov,
Securonix Threat Research Team
Figure 1: Cosmos Bank in India US$13.5 Million SWIFT/ATM Cyber Attack of August 2018 [1]

Introduction
The Securonix Threat Research team recently learned of a new high-profile cyber attack
targeting SWIFT/ATM infrastructure of Cosmos Bank (COSDINBB), a 112-year old
cooperative bank in India and the second largest in the country, resulting in over US$13.5
million stolen [1,2].

Below is a summary of what we currently know about this high-profile attack and
recommended Securonix predictive indicators and security analytics to increase your
chances of detecting such attacks targeting financial services/SWIFT.

2 Security Analytics. Delivered. w w w. s ecu ro n i x. co m


Summary
Impact
US$13.5 million stolen from Cosmos Bank between August 10-13, 2018.
Scope
Malware infection, ATM switch compromise, SWIFT environment compromise.
Attack Techniques
Multiple (see below).
Initial infiltration
Unconfirmed. Based on the attribution, likely spear phishing and/or remote administration/
third-party interface.
Attribution
As of August 27, 2018: Currently attributed to a nation-state-sponsored malicious threat
actor (Lazarus Group) by some sources [3,4]. Updated August 29, 2018: According to the
latest report from the Maharashtra Special Investigation Team performing the investigation
of the attack, they have not yet been able to link the attacks to the Lazarus or Cobalt
hacking groups, noting that the Cosmos bank attackers “wiped out all tracks, leaving no
evidence; it’s well-planned.” [5]. The latter is consistent with the behavior of major hacking
groups, including Lazarus group, that are known to use tools that wipe out all tracks and
evidence. To illustrate, according to the TrendMicro report on Lazarus Group operations
from earlier this year, Lazarus Group use wiper tools that remove Prefetch, event logs, MFT
records and other evidence from the compromised systems [6].

Cosmos Bank Attacks – Securonix Technical Analysis


While many technical details of the attack are currently unknown, based on publicly
available details, our technical analysis, and expertise, here are some of the key technical
details describing the most likely progression of this high-profile ATM/SWIFT banking
attack:
Cosmos Bank Cyberattack – ATM Modality – US$11.5 Million Stolen:
• Following an earlier patient-zero compromise and lateral movement, on August 10-
11, 2018, the bank’s internal and ATM infrastructure was compromised. The exploit
involved multiple targeted malware infections followed by standing up a malicious ATM/
POS switch (malicious-Central or MC) in parallel with the existing Central and then
breaking the connection between the Central and the backend/Core Banking System
(CBS).

3
• After making adjustments to the target account balances to enable withdrawals,
MC was then likely used in fake “*on-us,” foreign-to-EFT, standing-in, etc. activity that
enabled the malicious threat actor to authorize ATM withdrawals for over US$11.5
million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450
cloned (non-EMV) debit cards in 28 countries.
• Using MC, attackers were likely able to send fake Transaction Reply (TRE) messages
in response to Transaction Request (TRQ) messages from cardholders and terminals.
As a result, the required ISO 8583 messages (an international standard for systems
that exchange electronic transactions initiated by cardholders using payment cards)
were never forwarded to the backend/CBS from the ATM/POS switching solution that
was compromised, which enabled the malicious withdrawals and impacted the fraud
detection capabilities on the banking backend.

Cosmos Bank Cyberattack – SWIFT Modality


– US$2 Million Stolen
On August 13, 2018, the malicious threat
actor continued the attack against Cosmos
Bank likely by moving laterally and using the
Cosmos bank’s SWIFT SAA environment Socket Listener
LSO/RSO compromise/authentication to
send three malicious MT103 to ALM Trading
Limited at Hang Seng Bank in Hong Kong NDC Request Handler

amounting to around US$2 million.


Reversal Business PIN
The ATM/POS banking switch that was Handler Logic Verification

compromised in the Cosmos Bank attack is


a component that typically provides hosted ISO 8583 Formatter
ATM/POS terminal support, an interface to
core banking solution (CBS) or another core
financial system, and connectivity to regional,
national or international networks. The
primary purpose of the system is to perform Core Banking External
System Switch
transaction processing and routing decisions
(see Figure 2)
Figure 2: Common Banking ATM Switch Architecture

4 Security Analytics. Delivered. w w w. s ecu ro n i x. co m


In case of the Cosmos Bank attack, this was not the typical basic card-not-present (CNP),
jackpotting, or blackboxing fraud. The attack was a more advanced, well-planned, and
highly-coordinated operation that focused on the bank’s infrastructure, effectively bypassing
the three main layers of defense per Interpol Banking/ATM attack mitigation guidance (see
https://www.ncr.com/content/dam/ncrcom/content-type/brochures/EuroPol_Guidance-
Recommendations-ATM-logical-attacks.pdf).

Based on our experience with real-world attacks involving ATM and SWIFT, following the
initial compromise, attackers most likely either leveraged the vendor ATM test software
or made changes to the currently deployed ATM payment switch software to create a
malicious proxy switch.

As a result, the details sent from payment switch to authorize transaction were never
forwarded to CBS so the checks on card number, card status (Cold, Warm, Hot), PIN, and
more were never performed. Instead, the request was handled by the MC deployed by the
attackers sending fake responses authorizing transactions.

In addition to the ATM and SWIFT monitoring, this attack likely involved a significant number
of common cyber attack behaviors while the required malicious infrastructure needed to
execute the attack was developed and stood up. As mentioned, this high-profile SWIFT/
ATM banking attack is currently attributed to Lazarus Group/nation-state-sponsored actor/
DPRK. Specifically some of the attack techniques commonly used by the threat actor
include: use of Windows Admin Shares for Lateral Movement, using custom Command
and Control (C2) that mimics TLS, adding new services on targets for Persistence,
Windows Firewall changes, Timestomping, Reflective DLL Injection, and a number of other
techniques (see https://attack.mitre.org/wiki/Group/G0032 for more details).

5
Based on the details above, this attack is a good example of the fact that, while ATM and
SWIFT transaction monitoring is important, it often is not enough, and may only give you 10-
20% of the required detection coverage. In order to detect modern threat actors targeting
banks, in addition to automatically baselining transactions, it is critical to also have the ability to
monitor and baseline the behavior of your users, your systems, and your networks to detect
anomalies (often 70-80%+ of success), and then connect all of the dots properly to detect an
attack in progress.

Detection – Securonix Behavior Analytics/Security Analytics


Based on the publicly available details available about the Cosmos Bank attacks, proper
visibility into the environment (both from the endpoint and network perspective) as well as
the ability to enrich and connect anomalies across different entities (users, frontend, backend,
jump servers, third-parties, SWIFT, SAG, and more) was most likely key to be able to detect this
attack.

Taking into account our expertise and the known techniques used by the threat actors
attributed to the attack, particularly Lazarus Group, some high-level examples of the relevant
Securonix behavior analytics/predictive indicators that could help detect such attacks in your
banking environment include:

• Suspicious Process Activity - Targeted – Frontend and backend Transaction Discrepancy


Analytic (This can be used to help detect malware activity utilized to compromise ATM
switches e.g. where TR enters a payment switch but never leaves for authorization etc.)
• Suspicious SWIFT Endpoint Activity - Rare SAA Process/MD5 Analytic
• Suspicious SWIFT Activity - Amount – Unusual 103 For Source Analytic
• Suspicious ATM Activity - Peak Sequential Non-EMV Transactions For ATM Source Analytic
• Suspicious Network Activity – Amount – Unusual PCCR Changes Analytic (This can be
used to help detect unusual changes in the behavior of the ATM switches from a network
perspective.)
• Suspicious ATM Activity – Peak EMV Fallbacks to Magstripe Analytic

6 Security Analytics. Delivered. w w w. s ecu ro n i x. co m


Figure 3: Example of Securonix Detecting Advanced Banking/SWIFT Cyber Attacks In Practice Using Security Analytics

• Suspicious Network Activity – Rare Outbound Network Connection For Host Analytic
(This can be used to help detect attack activity associated with the compromised ATM
switch.)
• Suspicious ATM Activity – Peak *On-Us Transaction Volume For PAN Analytic
• Suspicious ATM Activity – Amount – Unusual Foreign Cash-out Volume Analytic
• Suspicious Transaction Activity – Targeted – Cash Withdrawal Limit Elimination Analytic
– Malicious threat actors manually changing cash withdrawal limits
• Suspicious Process Activity – Rare Scheduled Task For Host Analytic (This is an
example that can be used to detect one of the common techniques leveraged by
Lazarus Group to which the attacks were attributed.)
• Suspicious Process Activity – Targeted – Executable File Creation Analytic

7
References
[1] Gitesh Shelke. Cosmos Bank Data From 9 Years Compromised. Times of India. 19
August 2018. https://timesofindia.indiatimes.com/city/pune/cosmos-bank-data-from-9-
years-compromised-in-rs-94-42cr-heist/articleshow/65456374.cms.
Last Accessed: August 20, 2018

[2] Penny Crossman. An ATM attack the FBI warned of came to pass. Expect more.
American Banker. 22 August 2018. https://www.americanbanker.com/news/an-atm-
attack-the-fbi-warned-of-came-to-pass-expect-more?feed=00000158-babc-dda9-adfa-
fefef5720000. Last Accessed: August 22, 2018

[3] Graeme Burton. ATM hackers steal $13.5m in 28 countries from India’s Cosmos Bank
– just days after FBI warning. 15 August 2018. https://www.computing.co.uk/ctg/
news/3061187/atm-hackers-steal-usd135m-in-28-countries-from-indias-cosmos-bank-
just-days-after-fbi-warning. Last Accessed: August 28, 2018

[4] ET Online. North Korean connection to Cosmos hacking? Signs point to Bangladesh
heist masterminds. 15 August 2018. https://economictimes.indiatimes.com/industry/
banking/finance/banking/north-korean-connection-to-cosmos-hacking-signs-point-to-
bangladesh-heist-masterminds/articleshow/65411640.cms.
Last Accessed: August 28, 2018

[5] Geetha Nandikotkur. Information Security Media Group. Cosmos Bank Heist: No
Evidence Major Hacking Group Involved. August 29, 2018. https://www.inforisktoday.
in/cosmos-bank-heist-no-evidence-major-hacking-group-involved-a-11435.
Last Accessed: August 28, 2018

[6] Trend Micro. A Look into the Lazarus Group’s Operations. January 24, 2018. https://
www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-
the-lazarus-groups-operations. Last Accessed: August 28, 2018

8 Security Analytics. Delivered. w w w. s ecu ro n i x. co m


ABOUT SECURONIX
Securonix is radically transforming all areas of data security with actionable security
intelligence. Our purpose-built, advanced security analytics technology mines, enriches,
analyzes, scores and visualizes customer data into actionable intelligence on the highest
risk threats from within and outside their environment. Using signature-less anomaly
detection techniques that track users, account and system behavior, Securonix is able to
detect the most advanced insider threats, data security and fraud attacks automatically
and accurately.

CONTACT SECURONIX
www.securonix.com
[email protected] | (310) 641-1000
0818

You might also like