Global financial network SWIFT warns about malware targeting banks

May 15, 2016 |

Cyber attacks on banks are nothing new. Banks not surprisingly generally have better cybersecurity systems than most organisations, though not universally so.  One form of attack against banks (and here) is by means of malicious software, also known as malware. Malware is a regularly occurring problem with businesses and organisations of all types such as accountants, American Dental Association, government bodies, hotels and small businesses.

The global financial network SWIFT has issued a warning about a new very sophisticated malware threat which is obviously designed to exploit a vulnerability but has an understanding of a banks operational controls and is designed to minimise detection through the usual checks banks have in place. The latest malware attack is based on corrupting a PDF read application banks use to view confirmations of payments.

It is relevant to have regard to a very recent speech by the chief information security officer at the Bank of England, Will Brandon, who there is a “clear and present danger” from cyber risk where he noted:

  • firms should have a system of oversight that provides “a formal means for the business to assess and manage risk”.
  • firms should try to quantify the cyber risk by assessments or testing
  • it is critical to know the systems or information which underpin the “critical business processes,”
  • it is critical to ensure that the owners of  information assets are the owners of the business processes they support.

It is apt that the UK Government has issued a cyber security breaches survey for 2016.  It provides dismal reading. Some of the salient findings are:

  • 65% of major UK businesses experienced at least one cyber security breach or attack in the past year
  • a quarter of large firms falling victim to breaches experiencing such incidents at least a monthly basis.
  • 29% of UK companies have written cyber security policies
  • 10% of businesses have “formal incident management processes”
  • there is a gap between awareness and action on cyber risk.
  • 13% of all UK companies, and 34% of large UK businesses, “set minimum cyber security standards for their suppliers”.
  • only 20% of UK companies “validate the suppliers” of cloud computing services,.
  • 37% of UK companies said they have “some form of cyber security insurance”, .
  • On average, security breaches cost large UK businesses £36,500 per incident, although one such incident cost one business £3 million.

There is no reason to suppose the situation in Australian is any different.

This malware highlights the need for organisations to maintain proper data security on an ongoing basis.  For organisations which are obvious targets for cyber criminals that means an ongoing focus on understanding the nature of the threat and having both adequate cyber security as well as means of detecting a penetration.

The SWIFT notice provides:

As we notified you in our earlier communications, we are aware of a small number of recent cases of fraud at customer firms. First and foremost we would like to reassure you again that the SWIFT network, core messaging services and software have not been compromised. We have however now learnt more about a second instance in which malware was used – again directed at banks’ secondary controls, but which in this instance targets a PDF Reader used by the customer to check its statement messages.

Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks.
In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud. 

The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.

Preventative Controls

As a matter of urgency we remind all customers again to urgently review controls in their payments environments, to all their messaging, payments and ebanking channels. This includes everything from employee checks to password protection to cyber defences. We recommend that customers consider third party assurance reviews and, where necessary, ask your correspondent banks and service bureaux to work with you on enhanced arrangements.

We also urge all customers to be forthcoming when these issues occur so that the fraudsters can be tracked by the authorities, and SWIFT can inform the rest of community about any findings that may have a bearing on wider security issues.

In the meantime we would like to reassure you that the SWIFT network, SWIFT messaging systems and software have not been compromised. The security and integrity of our messaging services are not in question as a result of the incidents. We will continue with our security awareness campaign, bilaterally with users and through industry forums and other appropriate channels. We will also continue working with our overseers, with law enforcement agencies, and third party experts, and we will continue to inform you of any further information we believe that can help you detect or avert such attacks.

Latest Findings

In the earlier case we reported to you, and this particular case we can confirm that:  malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network. The modus operandi of the attackers is similar in both cases:

1. Attackers compromise the bank’s environment
2. Attackers obtain valid operator credentials that have the authority to create, approve and submit SWIFT messages from customers’ back-offices or from their local interfaces to the SWIFT network.
3. Attackers submit fraudulent messages by impersonating the operators from whom they stole the credentials.
4. Attackers hide evidence by removing some of the traces of the fraudulent messages.

In this new case we have now learnt that a piece of malware was used to target the PDF reader application used by the customer to read user generated PDF reports of payment confirmations. The main purpose of the malware is again to manipulate an affected customer’s local records of SWIFT messages – i.e. step 4 in the above modus operandi.

Once installed on an infected local machine, the Trojan PDF reader gains an icon and file description that matches legitimate software. When opening PDF files containing local reports of customer specific SWIFT confirmation messages, the Trojan will manipulate the PDF reports to remove traces of the fraudulent instructions.

There is no evidence that the malware creates or injects new messages or alters the content of legitimate outgoing messages. This malware only targets the PDF reader in affected institutions’ local environments and has no impact on SWIFT’s network, interface software or core messaging services.

Customers that use PDF reader applications to check their confirmation messages should take particular care.

Your Security

As we stated earlier, this is clearly a highly adaptive campaign targeting banks’ payment endpoints. Above all therefore your first priority should be to ensure that you have all preventative and detective measures in place to secure your environment. This latest evidence adds further urgency to this work. Such measures are the best defence against such malware being installed on your local systems, and against fraudulent actions on your local infrastructure to connect to the SWIFT network.

Please remember that as a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environment – starting with basic password protection practices – in much the same way as you are responsible for your other security considerations. Whilst we issue, and have recently reminded you about, security best practice recommendations, these are just a baseline and general advice.

We will continue to update you on these issues as more information becomes available to us. We would ask you to ensure that these communications reach your security officers.

One Response to “Global financial network SWIFT warns about malware targeting banks”

  1. Global financial network SWIFT warns about malware targeting banks | Australian Law Blogs

    […] Global financial network SWIFT warns about malware targeting banks […]

Leave a Reply

Verified by MonsterInsights