BankIslami hit by Cyber Attack, $6 Million Stolen

Editor’s Note: This post was originally published on 28th October 2018 and is being continuously updated with latest information.

Hackers have waged a sophisticated cyber-attack against BankIslami, an Islamic bank in Pakistan, resulting in the theft of around $6 million via fraudulent payments through ATM and POS from different countries. Reports claim that 5000 accounts have been compromised in this attack and that it might be the biggest cyber-attack in the history of Pakistan.

The alleged security breach first came to light on October 27, when certain abnormal transactions were detected by the bank on one of its international payment card scheme. Also, customers of the bank received automated messages about their payment cards being used in different countries. The bank tried to hide the breach until the hackers possibly used dark web to publish information of payment cards and PINs for sale for about $75. The bank has temporarily shutdown all transactions routing through international payment scheme.

State Bank of Pakistan (SBP) Directives

“As a result of security breach of payment cards of one of the banks in Pakistan yesterday and their unauthorized use on different delivery channels i.e. at ATMs and POS in different countries, the bank has temporarily restricted usage of its cards for overseas transactions,” State Bank said in a statement yesterday.

SBP instructed the affected bank to take all necessary measures to trace the vulnerability and fix it immediately.

The affected bank has also been directed to issue advisory on precautionary measures that should be taken by customers.

• To make sure that resources are deployed to ensure the 24/7 real-time monitoring of card operations related systems and transactions. Additionally, coordinate immediately with all the payment schemes, switch operators and media service providers integrated with the banks, to identify any malicious activity of suspicious transactions.

• To foster arrangements to ensure security of all payments cards in the country and monitor on real-time basis the usage activity for their cards, especially for overseas transactions.

SBP said that it would continue to assess these developments in coordination with banks and take further measures, if required. The banks across Pakistan are directed to ensure that security measures on all IT systems including those related to card operations are continuously updated to meet any challenges in future.

Attack Vector

Apparently, FASTCash schemes can possibly be an attack vector for this hack, which remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.

When a payment card is used in an ATM or PoS machine, the machine communicates with the bank’s switch application server to validate the transaction, and then accepts or declines based on bank balance. The malware installed on the compromised switch application servers fraudulently intercepts transaction request associated with the attackers’ payment card. It then responds with fake but legitimate-looking affirmative response without checking their available balance with the core banking systems. Eventually, machine is fooled into processing or spitting out large amounts of cash without sending a notification to the bank.

Rewterz had published important advisories on similar attacks earlier this month, Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash and North Korean State-Funded APT38 Launches Financially Motivated Attacks Worldwide that include mitigation recommendations for institutions that have payment processing systems.

“Since at least 2014, hacker group involved in FASTCash campaign has conducted operations in more than 16 organizations in at least 11 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources,” FireEye researchers said in a blog post.

Based on known attacks, an APT attacker spends an average of 155 days camped out in an attacked organization’s networks, whereas, in one case they had two years of access to a victim’s network, FireEye says.

“APT attacker executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom-developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards,” FireEye says.

“The group is careful, calculated and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions and system technologies to achieve its goals.”

The U.S. Computer Emergency Readiness Team issued an alert about “malicious cyber activity by the North Korean government” – which it refers to as Hidden Cobra – perpetrating an ATM cash-out scheme, which the U.S. government refers to as “FASTCash.”

US-CERT’s “Hidden Cobra – FASTCash Campaign” alert says that the attack campaign has been operating since 2016 and so far targeted institutions in Asia and Africa with malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”

“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise Hidden Cobra actors used spear-phishing emails in targeted attacks against bank employees,” US-CERT says, “Hidden Cobra actors likely used Windows-based malware to explore a bank’s network to identify the payment switch application server.”

Attackers will likely move beyond targeting banks, US-CERT warns. “The U.S. government assesses that Hidden Cobra actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation,” it says.

Pakistani Banks Card Data on Dark Web

As you are probably aware that some of the analysis are connecting this attack with Pakistani banks’ cards data being up for sale on dark web. According to various sources, a report is being circulated regarding the sale of Pakistani banks’ card data that shows that more than 8000 cards of different banks are available for sale on the dark web and carding websites.

Rewterz Threat Intelligence Team has carried out an in-depth analysis and appears to assume that this report has been created based on a 3rd category Dark Web Card Shop. Mostly, 3rd category shops are easily accessible and doesn’t ensure reliable data. The cards dump was posted on a shop yesterday, however, it was taken down by the seller on the same day. Based on further analysis, the dump consisted of old skimmed cards data of different banks, so probably 99.9% of the data is either bogus or blocked cards. Research shows that reliable and authentic data is available on 1st category card shops which have verified cards available and they are on sale with refund offer if it doesn’t work.  Our threat intelligence team is further investigating and endeavouring to acquire all the data available for cards so that further analysis can be carried out.

Therefore, it can be assumed that in order to create a chaos and further exploit the mayhem in Pakistan, the seller consolidated all the skimmed cards data available from past and posted together.

According to our intelligence, the hackers have done a targeted and sophisticated attack on local bank, similar to what we have seen in FashCASH. Skimmed cards don’t have capacity of launching an attack on this scale.

Recommendations

• Implement chip and Personal Identification Number (PIN) requirements for debit cards.
• Validate card-generated authorization request cryptograms.
• Use issuer-generated authorization response cryptograms for response messages.
• Require card-generated authorization response cryptogram validation to verify legitimate response messages.
• Require two-factor authentication before any user can access the switch application server.
• Verify that perimeter security controls prevent internet hosts from accessing the private network infrastructure servicing your payment switch application server.
• Verify that perimeter security controls prevent all hosts outside of authorized endpoints from accessing your system.
• Configure the switch application server to log transactions. Routinely audit transactions and system logs.
• Develop a baseline of expected software, users, and logons. Monitor switch application servers for unusual software installations, updates, account changes, or other activity outside of expected behavior.
• Develop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.

Rewterz’s SOC team has released specific recommendations for the internal security monitoring and incident response teams, to help them detect such advanced APT attacks.

Integration for Cyber Security Monitoring Visibility

Following should be enabled and integrated to detect such advance APT attacks on your centralized security monitoring platform, such as SIEM or Log Management:

• Network flows for visibility of inbound/outbound traffic and network insight.
• Detailed system and application auditing besides standard logs.
• Process tracking and network share object auditing.
• Command line parameter should be enabled once the process tracking is enabled, this will help analysts to understand the parameters passed in the process by the attacker.
• Authentication events.
• Database events.
• Advance malware events.

Use Cases for Cyber Security Monitoring of Switch Application Servers (SWIFT, IRIS, Nimbus, etc.)

• Outbound connections towards external and local networks from switch application servers.
• Inbound connections from external and local networks towards servers.
• Excessive internal and external connections.
• Excessive connections made by any process in application servers.
• Application servers’ traffic on unknown and high ports.
• Traffic deviations.
• IoCs’ hits on servers from advance malware.
• Administrators’ traffic who manage switch application servers.
• Any activity being performed on servers by administrators.
• All the authentication performed by processes and services on switch application servers.
• All authentication attempts on servers.
• Monitor applications and services that are talking to other systems.
• Monitor all the extensions and processes of these systems with their path of execution, specifically for bin, js, ps1, exe, vbs, png, rtf, docm, xlsm, xltm, bat, jar, msi, scr, hta, cmd, vbe, txt, jse, lnk, and inf.
• All privileged user activities who have logged in switch application servers.
• File share activities of privileged users.