Sberbank Breached

Banks are located throughout the world. They perform vital services for consumers and commercial organizations in every country they are located in. These are also connected with the respective nation’s banking systems. Another commonality is these hold a mass amount of data also. This is very attractive to the attackers for many reasons. This is also a concern for the consumers, as their personally identifiable information (PII) is in the hands of unauthorized persons. Sberbank is was targeted and data removed without their authorization. Sberbank is Russia’s largest bank, with 45% of all retail deposits within their bank and 41% of the consumer loans held. In this instance, the Russian state owns the controlling stake in the bank.

Attack

Obviously, the attack was successful, which is a problem. The organization estimates the breach occurred near the end of August 2019.  The cause of this breach is unfortunately somewhat common, in the US and abroad. With employees, there is always the chance of the internal threat with the disgruntled, greedy, or unhappy employee. In this case, the bank is reporting the breach of data was due to an employee’s intentional acts. The bank noted it has to be an internal employee due to the data’s location being impossible to breach.

Later, the speculation ended when the bank reported the attacker had been apprehended. During the investigation, the employee had been focused on and eventually confessed. The employee was the head of one of the bank’s divisions. As part of their role, they had access to databases as part of their position, which explains how this was exfiltrated given the data’s remote location and access.

Data

With the attack, millions of Sberbank’s customer's personal data was allegedly initially leaked. Fortunately for the affected persons, the target was the data. The funds in the affected person’s account(s) were not targeted. The bank initially estimated 60M Sberbank credit cardholders have had their personal data stolen and was for sale on the dark web. This estimate appears to have been a bit inflated, and the true number was far less, possibly as low as 5k. The last reported sales price per entry at $0.08/record.

Surprisingly, the data leak and data for sale was not noticed by the bank. For instance, even if the amount of data was the 5k of records, seemingly this would have triggered some form of an alarm. After all, even a division manager probably would not have a need to download 5k individual records. Their position would be more engaged with summaries and forward-looking goals. This oversight was noticed by DeviceLock Cybersecurity, a cybersecurity organization when they noticed the data for sale on the dark web. At times, the seller may make fantastic claims of the data composition for sale. In this case, however, a sample of 200 credit card holder’s data was verified, indicating this is real. The data liberated in this case included the credit card details excluding the three-digit CVV, and place of employment for the last ten years. While the affected persons do have a bit of good news with the CVV not being a part of this, they may still have been targeted for fraud due to the nature of the data itself.

Follow-Through

After the bank was notified, they contacted reported this and is working closely with law enforcement and the Central Bank of Russia to find the culprits. As noted, this was beneficial as the

Resources

Auyezov, O., & Lyrchikova, A. (2019, October 3). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.reuters.com/article/us-sberbank-russia-dataprotection/russias-sberbank-investigating-potential-client-data-leak-idUSKBIN1@i0Wl

Hinchliffe, R. (2019, October 9). Russia’s sberbank catches internal culprit of data leak. Retrieved from https://www.fintechfutures.com/author/hinchliffer/

Leprince-Ringuet, D. (2019, October 4). Russia’s sberbank investigates credit card data leak. Retrieved from https://www.zdnet.com/article/russieas-sberbank-investigates-credit-card-data-leak

Ljubas, Z. (2019, October 19). Russia: Huge data leak hits sberbank. Retrieved from https://www.occrp.org/en/daily/10797-russia-huge-data-leak-hits-sberbank

PMNTS. (2019, October 4). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.pymnts.com/news/security-and-risk/2019/russias-sberbank-investigating-cleint-data-leak/

Spadafora, A. (2019, October 3). Russia’s sberbank hit with huge data leak. Retrieved from https://www.techradar.com/news/russias-sberbank-hit-with-huge-data-leak

The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.themoscowtimes.com/2019/10/03/sberbank-hit-by-huge-data-breach-a67570

The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.wedn.com/2019/10/03/sberbank-hit-by-huge-data-breach/

Walker, J. (2019, October 8). Sberbank of Russia completes investigation into the dark web data leak. Retrieved from https://portswigger.net/daily-swig/sberbank-of-russia-completes-investigation-into-dark-web-data-leak  

Woesnotgone Meadow; May 4, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, our residents don’t have many banking needs. We generally have the usual checking and deposit accounts, and mortgages. Occasionally, especially in the winter, our residents may not desire to visit Margie’s window at the bank. At this point, the residents may check their balances or if a check has cleared with an app on their smartphones, desktops, or laptops. When our residents have checked their accounts, they have used the two-factor authentication recommended by Margie. Generally, this has not been an issue. Current events have indicated there is an issue with this.

Banking is one of the industries where there should be an extra layer or two of security, just to ensure, as much as possible, there are no issues with the client's money being wired out to others by someone other than the bank’s client. To better secure transactions with mobile banking, an additional measure has been used for years. This two-factor authentication has been accepted as an additional layer of security for years. Recent events and attacks have indicated there is an unauthorized, malicious bypass for this cybersecurity feature due to flaws in the SS7 protocol.

SS7 (Signaling System 7)

The SS7 protocol is used by telecom companies to coordinate how they route texts and calls globally. There have been notably significant flaws in the SS7 protocol that have been known for years. The basic issue is the lack of authentication. The protocol does not authenticate who had sent the message. The attacker may gain access to the network and reroute the text message or call.

This may not only be used to intercept the SMS and 2FA codes, however, this also allows for unauthorized access to the user’s personal data. This has the potential for rather unpleasant circumstances for the users. Although known for years, this flaw/bug/feature is still viable. It’s curious as this is still an issue, as the phone companies spend billions upgrading their networks. Although this initially may have been a thought problem, the attack recently has been verified many times.

There have been recent reports indicating at least Metrobank, a UK bank had been targeted by the attackers. The attackers have been using this SS7 flaw to bypass the 2FA with mobile applications. With the banking targets, the attacker would acquire the user’s username and password. This could be accomplished through a simple phishing attack. When the user logs in, the bank may send a verification code to the user. With the SS7 attack, the message would be intercepted by the attackers. While this does appear to be a rather simple and straight-forward attack, this does take time to formulate and execute, and for the user to accept the phishing hook. The attack, while complicated, is still possible.

In the real world, the actual SS7 attacks began to empty the bank client’s accounts in 2017, primarily in Germany. This has spread and was being used throughout Europe. One bank confirming they were targeted and successfully attacked was MetroBank, the UK based bank. The bank did note, however, that only a small number of clients had been affected. This would be expected, as the first step involves a successful phishing attack.

This attack, while not designed for attacking the masses, reminds us even with the most current technology in use, if a third party which the business depends on has a faulty protocol or methodology, there is the direct opportunity for significant issues.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Android Police. (2019, February 3). UK bank falls victim to ss7 attacks, allowing cybercriminals to drain accounts and reminding us why SMS two-factor authentication sucks. Retrieved from https://www.technologybreakingnews.com/2019/02/uk-bank-falls-victim-to-ss7-attacks-allowing-cybercriminals-to-drain-accounts-and-reminding-us-why-sms-two-factor-authentication-sucks/

Cox, J. (2019, January 31). Criminals are tapping into the phone network backbone to empty bank accounts. Retrieved from https://motherboard.vice.com/en-us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

Millman, R. (2019, February 4). Criminals hit metro bank with multi-factor authentication bypass ss7 attack. Retrieved from https://www.scmagazineuk.com/criminals-hit-metro-banks-multi-factor-authentication-bypass-ss7-attack/article/

Security Experts. (2019, February 4). Hackers targeting UK banks through ss7 banks. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/hackers-targetting-uk-banks/

Telegraph. (2019, February 3). Metro bank hit by cyber attack used to empty customer accounts. Retrieved from https://fireballcybersecurity.blogspot.com/2019/02/metro-bank-hit-by-cyber-attack-used-to.html

Woesnotgone Meadow; November 30, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. The weather has been unusually cold earlier this week. This has kept many of the residents inside. With the activities limited by the cold, many people worked on their online banking, but not with HSBC Bank.

HSBC Bank has a presence in several countries. Notably for this case is the HSBC Bank subsidiary located in the US. Their system was attacked and compromised. The bank learned of this unauthorized access between October 4 through the 14th, 2018. The attackers were able to exfiltrate data, which was the target, with the client’s names, addresses, date of birth, account numbers, transaction histories, payee details, and balances. With this data, the attackers and whomever the data is sold to on the darkweb, have the ability to make the affected parties life “interesting” for over the next decade. This data allows for the unauthorized parties to use the identity to falsely open accounts, access other websites the clients may have accounts, and overall keep the persons monitoring their credit reports.

This affected thousands of online customers of HSBC Bank USA. The bank did not publish the full amount but did state this number was less than 1% of the US customers. Based on this, the affected parties could number up to 12,000 persons. This was the initial estimate and may increase as time passes and the forensic review continues. The bank, per California state law, notified the California Attorney General, as the breach affected 500 or more California residents.

The bank, attempting to be the good corporate citizen and limit liability, suspended the affected online accounts. The bank also in response to the compromise worked to improve their client authentication process. They also recommended the clients update their passwords and add security features to their login. This included the usual recommendation of using a unique password and changing these regularly.

The compromise was due to some form of a lack of cybersecurity. HSBC Bank has not however published how this occurred. The details noted so far seem to indicate this was a credential stuffing attack. This vulnerability is so usable for the attackers due to the users reusing the same username and passwords with the different website logins. Here, the credentials from one login and tried in other likely used websites and services.

If anyone in the Meadow is using the same logins or passwords for multiple websites, you may want to change these to something unique.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

E Hacking News. (2018, November 7). HSBC online banking customers’ data compromised: Confirms the bank. Retrieved from https://www.ehackingnews.com/2018/11/hsbc-online-banking-customers-data.html

HSBC. (2018, November 2). Notice of data breach. Retrieved from https://oag.ca.gov/system/files/Res%20102923?20PIB%20Main%20v3_1.pdf

Nichols, S. (2018, November 6). HSBC now stands for hapless security, became compromised: Thousands of customer files snatched by crims. Retrieved from https://www.theregister.co.uk/2018/11/06/hsbc_security_broken/

Winder, D. (2018, November 6). HSBC bank USA admits breach exposing account numbers and transaction history. Retrieved from https://www.forbes.com/sites/daveywinder/2018/11/06/hsbc-bank-usa-admits-breach-exposingaccount-numbers-and-transaction-history/#394417d35af3

Cosmos Bank Compromise

Banks are a universal feature throughout the world. These are present in the varied governmental forms, in various asset sizes, and to make loans in various amounts. The loan sizes vary from the micro-loan of a few hundred dollars to millions of dollars in most cases. India is no different than the other countries as it relates to banking. One of the banks in India is Cosmos Bank, which is the 2nd largest cooperative bank. The bank is based in the western city of Pune.

Attack
Banks are attacked and compromised for two primary reasons. There is ample personal data for the clients. This includes but is not limited to legal name, address, credit score, social security number, account numbers with balances, and an epic amount of further data. There is also the little issue of money, which may be exfiltrated physically or digitally.

This attack occurred from August 11 to 13, 2018. Malware was placed on the bank’s ATM servers, which approve the transactions. In this case, which made this work so well, the main banking system received debit card payment requests through a “switching system”. With the attack, this system was bypassed after the firewall in place had been bypassed. The attackers put a proxy switch in the network. The approvals for the fraudulent payments were made through this alternative, unauthorized false proxies.

The attack operation itself occurred within the three days and was well-planned. This attack was intended to be carried out in multiple phases. First, there were 12k-15k withdrawals done within a relatively short time period from the affected accounts. The fraudulent proxy server approved the transactions without verifying the card’s authenticity. These 12k withdrawals added up to a rather significant amount. Of the 12k transactions, a majority occurred overseas. All of the countries in which these occurred had not been released yet. A sample of these includes Canada, Hong Kong, India, and other countries. The ATM portion of the overall attack operation occurred within 7 hours in these 22-28 countries with 450 cloned cards. Curiously many of these transactions occurred in Canada. Even with merely these specific security issues, the bank’s chairman stated the bank’s security systems had not been compromised. Clearly, this process was well-managed.

Later in the day on August 11, 2018 there were another 2,800 card transactions used to steal 2.5 crore rupees. Also, 944m rupees or $13.5M USD was wired to a Hong Kong-based entity. On August 13, 2018, the last day of the attack $2.1m USD or 13.94 crore rupees was wired to the ALM Trading Ltd., a Hong Kong company. The wires or transfers were done within the SWIFT system.

After the Attack
As a natural standard operating procedure, the bank filed a complaint with the police. The bank alleged in the complaint the malware used by the attackers to breach the system was also used to clone the customer’s cards. With the extent of the breach and what attackers were able to accomplish, the situation makes one question what fraud and cybersecurity processes were in place at the bank and “actively” working.

The bank’s response, in a statement, was the bank had adequate IT security in place, although the facts discourage this interpretation. The bank also contracted with a professional cybersecurity forensic agency. The firm began reviewing the logs. As the investigation continues, there are a number of questions left to be answered. These include:
How many ATMs were used for the withdrawals across the various countries?
A mass number of people had to be involved to operate and manage the attacks. What entity was the primary managing entity for the operation across all the countries?
With this large number of cards used in so many countries, who created and distributed these cards?
There should have been a fraudulent activity monitoring system in place, yet there were no issues noted through a majority of the attack. Was this actively monitoring the system’s transactions in real time?
The attack and exfiltration were unfortunate, however, this was a well-planned and distributed attack. There are many areas to be reviewed.


Resources

Dimitrova, M. (2018, August 16). Indian cosmos bank malware attack ends with theft of $13.5 million. Retrieved from https://securityboulevard.com/2018/08/indian-cosmos-bank-malware-attack-ends-with-theft-of-13-5-million/

Goswami, S. (2018, August 17). Police investigate cosmos bank hack. Police investigate cosmos bank hack. Retrieved from https://www.bankinfosecurity.com/police-investigate-cosmos-bank-hack-a-11379

Hindu Business Line. (2018). Cosmos bank’s server hacked; Rs 94 cr siphoned off in 2 days. Retrieved from https://www.thehindubusinessline.com/money-and-banking/cosmos-banks-server-hacked-rs-94-cr-siphoned-off-in-2days/article24675

Inamdar, N. (2018, August 14). 15,000 transactions in 7 hours: Cosmos bank’s server hacked, Rs 94 cr moved to Hong Kong. Retrieved from https://www.hindustantimes.com/india-news/15-000-transactions-in-7-hours-cosmos-bank-s-server-hacked-rs-94-cr-moved-to-hong-kong/story-wazUXZs3LRhcbPlg7Lyx

Jadhav, R. (2018, August 14). India’s cosmos bank loses $13.5 mln in cyber attack. Retrieved from https://www.reuters.com/article/cyber-heist-india/indias-cosmos-bank-loses-135-mln-in-cyber-attack-idUSL4N1V55l1G

Nichols, S. (2018, August 15). India’s cosmos bank raided for $13m by hackers. Retrieved from https://www.tgheregister.co.uk/2018/08/15/cosmos_bank_raided/

PTI. (2018, August 14). Cosmos bank’s server hacked; $s 94 crore siphoned off in 2 days. Retrieved from https://enconomictimes.com/industry/banks-server-hacked-rs-94-crore-siphoned-off-in-2=days/articleshow/65399477/cms

Tanksale, M., & Iyer, S. (2018, August 14). Pune-based cosmos bank loses rs 94 crore in cyber attack. Retrieved from https://timesofindia.indiatimes.com/busienss/india-business/pune-based-cosmos-bank-loses-rs-94-crore-in-cyber-hack/cyber-hack/articleshow/65399204.cms

Let's Learn from our Mistakes!: Phishing is still an issue

A bank robber, after being apprehended, years ago was asked “Why did you rob the bank?” The simple and direct response was, “That’s where the money is.” There is no difference today. Organizations will be targeted due to an asset the attackers want access to. This may be data or information, or the familiar cash.

A incident happened in Virginia to a bank and within eight months, the same. These illustrate the importance of relevant, regular training for phishing attacks.

Incidents
The target was The National Bank of Virginia located only in Virginia. The bank was compromised twice in eight months. The total amount stolen was an estimated $2.4M. The first was on May 28, 2016. This attack continued through Monday (Memorial Day), and was subsequently detected. The focus with this and the 2nd successful compromise was cash. Once compromised, the money was stolen through hundreds of ATMs across North America with cards whose magnetic stips had been the true user’s data placed on them. The ATMs initially with the first incident had stolen $569,648.24.

Once detected the bank contracted with Foregenix to complete the forensic review. In June 2016, the bank put in place the additional security protocols recommend. Curiously, the bank was breached again, allegedly by the same group, in January 2017. The attackers through this attack were able to steal $1.8M.

Methodology
The two rather deeply probing and expensive attacks were successfully completed with simple phishing emails with attachments. The user opens the email, clicks on the link or opens the attachment, and potentially the IR (Incident Response) Team and other operations have a long day and/or weekend. With the first attack, the initial compromised computer compromised another. This second computer accessed the STAR Network. This is managed by First Data and is used to manage the debit card, transactions, customer accounts, and the use of ATM and bank cards.

With the compromised computer, the attackers had the ability to disable and modify the anti-theft, and anti-fraud protections. This included the PIN, withdrawal limits for the individual person, daily usage, maximums for the debit cards, and fraud score protections.

The interesting twist is either by luck or learning from the 1st attack, the attackers also gained access to Navigator. Navigator was used by the bank to manage their customer’s debits and credits.

During the compromise #2, the attacker credited the bank ’s client accounts for $1,833,984 from several hundred ATMs. The second compromise also occurred over a weekend, between January 7-9, 2017. To make matters worse, the attackers updated for their needs or removed the bank’s critical security controls.

For the second compromise, Verizon was contracted for the forensic review. Verizon noted this was probably done by the same attackers, and the method for entry was the malicious Word document attached to the phishing email.

Cyber-Insurance
The bank did have cyber-insurance in place and in force at the time of the attacks. The insurance company was Everest National Insurance Company. Once the claim(s) had been filed, the insurance did not want to pay. There were two exclusions, and the insurance company claimed this fell under their Debit Card rider. The bank then filed a lawsuit in the Western District Court of Virginia, Roanoke Division (Civil Action No 7:18CV310).

Lessons Learned
Cybersecurity presents a new environment for the enterprise to thrive in. One aspect that is particularly new is cyber-insurance. The insurance industry is still working to detail the working, interpretation, and the method on how to apply this. In purchasing this service and insurance, the business needs to be wary and complete the due diligence, so senior management is aware of the coverage, as much as they are able to.

One aspect to fully explore is the exclusion riders. These, when possible, should be minimized in number. Where these are required, any ambiguity in the wording should be explored and detailed, while being documented. With this, any ambiguities should be limited. Notwithstanding a section to the contrary, the emails and other documents should fill in the gaps.

With the exclusions, this would work to limit the insurance company’s exposure to certain attacks. The industry may not know of a certain attack or one that had not been published yet. The attack vector may not be known yet. The business may be waiving their right to coverage for an unknown attack, or one that had not been created yet.

The business should actively consider consulting with an attorney specializing in this area with regard to the cyber-insurance policy and rider. The agreement and insurance rider are written with the insurance company’s interests in mind. The sections and riders may be vague where needed, and be able to apply exclusions where they may need it.

Insurance works, in theory, and practice, by pooling risk. The pool consists of individual policies. The insurance companies use large mathematical formulas to determine what factors to take into account. The larger the pool, assumptively the less overall risk, fewer claims, and subsequently larger profits. If there are too many claims, the insurance company’s profits will be lower. The organizations are profit driven, and not an altruistic entity.

Even if the organization follows industry standards and recommendations, there may be issues. The InfoSec environment is ever-changing. There are new attacks, updated old attacks, nuances, or old issues never fixed. To anticipate every issue and attack angle is not possible.

Phishing continues to be a rather viable attack vector. These can be skillfully crafted, with the business symbols and graphics. All it takes is one person in the right department (e.g. accounting, finance, tax, or Human Resources) clicking on one link and the business operations can get very interesting, very quickly. The phishing training needs to be regular, and relevant.

Resources
Krebs, B. (2018, July 18). Hackers breached virginia bank twice in eight months, stole $2.4m. Retrieved from https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/

Bank Client's PII Valuable

            Banks have the privilege of collecting our data and storing this for their uses. As the banks store this data and information, the banks are acting as stewards of this data. Being a steward and responsible, there are certain aspects of InfoSec which a reasonably prudent bank would deploy to protect the bank, its assets, and customer’s data.

            Apparently, there was an issue with two banks which allowed an oversight to occur (https://www.ehackingnews.com/2018/05/two-financial-institutions.html, http://www.palada.net/index.php/2018/05/29/news-6184/, & http://www.cbc.ca/news/business/simplii-data-hack-1.4680575). In May 2018, the Bank of Montreal and Simplii Financial, owned by CIBC announced their alleged breach. Simplii Financial is CIBC’s direct banking brand. The affected clients number at approximately 90k people. These may have been accessed by the attacker or the people the data was sold to, as evidenced by the Bank of Montreal receiving a tip stating a limited number of people’s accounts had been accessed by unauthorized parties.

            After the breach was noted and analysis began, Simplii began to implement additional measures to improve their online cybersecurity. This included, but was not limited to, fraud monitoring and actions to monitor online banking to a greater measure.

            To make things worse, the attackers threatened to release the data from the compromise and exfiltration. The attackers would not release this if they were to happen to pay them $1M on or before May 28^th. The Bank of Montreal did not pay the attacker’s ransom but are however focusing their efforts on their clients.

            In this day and age, banks and other entities and institutions have to be more proactive in implementing a defense in depth to ensure, as much as possible, the security for the client’s data. At times, budgets, internal politics, and other timing issues slow these implementations. These, however, should be pushed more to the front of development and implementation. The alternative is to be breached, have the opportunity to publish the breach and claim only highly trained “hackers” could have done this, etc., and pay fees.

Suntrust insider threat issues

The insider threats have to be accounted for in some form or manner. Although the business would hope this would be an issue, at times still is. In particular, the business owner or senior management should be aware of potential issues. Notable that the insider threat has the potential to be devastating, especially when the insider is acting maliciously.

A recent and unfortunate incident involved SunTrust. One of their former employees in February 2018 to steal an estimated 1.5M client’s data. The prior employee’s intent was to sell this to a third party for criminal uses.

Any data stolen is not a good thing for the institution and the clients. In this case, it could have been much worse. The data stolen was the client’s name, their address, phone number, and account balances. Fortunately, the PII (e.g. social security number, account number, PIN, User ID, password, or driver’s license number).

Although the prior employee did work to copy the data but was not able to remove the data from the bank.

In other insider malicious attacks, these have been worse. The more data that is stolen and exfiltrated, the greater level of potential liability. To alleviate a majority of this potential issue, the businesses should put in place a robust program or set of programs to monitor the user’s behavior. This would act to safeguard the data and report issues in a timely manner.

Resources

E-Hacking News. (2018, April 23). SunTrust bank’s former employee stole details of 1.5 million. Retrieved from http://www.ehackingnews.com/2018/04/suntrust-banks-former-employee-stole.html

Zorz, Z. (2018, April 23). Former SunTrust employee stole data on 1.5 million clients. Retrieved from https://www.helpnetsecurity.com/2018/04/23/suntrust-stolen-data/