A PRESENTATION NOT TO RATER
Each year the Clusif (https://clusif.fr), the French information systems security club, offers a general presentation of the state of cybersecurity over the previous year. This year the program was very dense and interesting. 14 very good presentations that you can find on the Panorama page of the Cybercrime of clusIF.
The presentation on the attacks faced by the banks in 2018 by Gérôme Billois of Wavestone caught my attention. You can see it here.
3 different attacks were detailed. These are the attacks “Darkvihnya Attack”, “Bank of Chile” and “Cosmos Bank”.
In the case of “Darkvihnya Attack”, what has been done is the connection of several malicious devices directly to the bank network. Once the devices are connected, they are used to expand the bank’s network and then to gain access to the IT infrastructure from the outside. Malware is then used to make transfers to third-party accounts. It is therefore first of all a physical access that then allows access to IT. The attack involved 8 banks in Eastern Europe.
Countering this type of attack is possible: a well-configured network and detection of unusual equipment can detect the attack early. However, there is a need for sufficient teams, appropriate hardware and software. The fact that these attacks were carried out in different banks geographically close to them indicates a problem of lack of a localized cybersecurity culture.
The second attack is that of “Bank of Chile”. The method is very different, the attackers have managed to infect machines with malicious code. This code was destroying the machines. IT teams focused on crisis management. Meanwhile, hackers were operating quick wire transfers. A typical diversionary strategy. I see very little way to fight such an attack. The only solution is to have a team dedicated to crisis management but completely detached from the operational monitoring teams.
The latest attack is that of “Cosmos Bank” an Indian bank. The bank’s internal infrastructure has been infected with malware. It was possible to install a server that was in dialogue with the ATMs instead of the normal infrastructure. When distributors asked if money could be withdrawn, the answer was always yes. In 2 days more than 10 million euros have been withdrawn in many countries with cloned cards.
All these attacks are very sophisticated, requiring not a hacker but entire teams of people, who have the time and the opportunity to study banking systems, or to learn about them. It’s hard to imagine small hacker organizations succeeding in doing this, these are much more important means that are put at stake.
The fact that after several years, it is possible to identify these organizations and the people working there was highlighted in the presentation “Geopolitics and attribution” of Loïc GUÉZO of Trend Micro France. All hope is not lost.