Cosmos Bank Cyber Fraud: Volon’s Case Analysis

Reportedly cyber criminal was able to infiltrate in Cosmos bank’s network to the extent that he was able to get clear access to SWIFT network and bypassing other payment authentication network. Using this access including the SWIFT access the actor initiated money transfer outside India to a foreign bank and debit cards causing a total loss of $13.5 Million (INR 940 Million) between August 11-13, 2018

Volon’s opinion published in Times of India

https://timesofindia.indiatimes.com/city/pune/hackers-find-a-swift-way-to-steal-from-bank/articleshow/65409562.cms

How might have the actor obtained the SWIFT/Netowrk access:
Actors normally deploys following modes to obtain initial access:

  • Buy access in Darknet/Deepweb. (Our research team has seen quite a few SWIFT access related adverts in past year – one of them specifically seeking access to Indian banks SWIFT network and claimed to bypass its authentication. The actor also claimed that it wont be until 48 hours before bank security is able to detect the infiltration. Now that is more than enough time to complete the cash out)
  • Compromise ATM or any other external network to gain entry in the bank’s corporate network , then move laterally to gain access to SWIFT System
  • Compromise System/security personnel via a targeted attack and utilize his system for lateral movement to connect to SWIFT terminal

Attack Cycle of an Actor:

 Typically would look something like below:

Breach is hard to detect due to multiple reasons:
Credential breaches that involve social engineering are not detected by preventive technologies like firewall, anti-viruses etc. “A way to visualize this is to imagine the exposed attack surface as though it were a balloon. The more users, assets, and technologies that are introduced, the more the surface expands. The larger this surface, the more ways an attacker could potentially become a network threat. This is also true for mobile devices and cloud services. As more things move to the cloud, the bigger the attack surface will grow because you have less control over what your users log into and where your data is stored, making it harder to monitor activity outside your network. And much like how a balloon can get so big it pops, the bigger the attack surface, the higher the risk of an organization experiencing attack should they not perform proper attack surface management.”

Another reason is the lack of investment in Internal security. The teams are often strained under the onslaught of attacks and investigating false alarms as organizations receive a ton of alerts from many different parts of their security stack, and validating that they are real and the investigation that follows is time consuming. This results in them missing the real threats.

Banks need to increase their focus: 

While banks tend to focus on the latest security technologies to strengthen internal system security, they often ignore the threats originating from external environments. There are Cyber Threat Intelligence services in the market that provides the complete threat lifecycle services including the view from adversary perspective.

What has Volon research team gained from Darknet research: 
In our cyber threat research experience we scan Darknet (through human intelligence) and Cyber Underground Markets. We often come across actors selling breached data base or network access in return of financial consideration. We did came across a Darknet actor about 8 months ago who was looking for SWIFT access of Indian banks. He also claimed to posses a software that could bypass SWIFT authentication – it is important to note the same in the context of Cosmos Bank attack as prima facie the actor bypass SWIFT authentication.

What do we Advise our clients:

  • Avoid Password Reuse: Threat actors look for soft targets for initial infections looking in to leaked credentials and identifying any case of password reuse to gain access.
  • Keep an eye on external threat environment: In addition to internal network controls, Banks (& other organizations) should keep an eye of external threat environments including the industry/sector. Learnings from attacks on other same industry organization is a good foundation to build a strong threat prevention program.
  • Generate Actionable Insights: Organizations should also create a strong framework to integrate threat intelligence and convert it in to actionable insights. Ability to effectively operationalize intelligence has always been a challenge for security team and CISOs across the industry. Build In-house Talent: Organizations should look for building in-house threat intelligence teams which can help in consuming third party intelligence effectively.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Kapil has over 19 years experience performing multiple consulting, business development and operations profile in technology & finance sector.

Before founding Volon, he was based in Stockholm, Sweden and worked at Capgemini as Client Director and Business Development leader in Nordics.

Previously he worked at a PE (India Value Fund) owned Digital Media firm in London and also at Steria, a European listed company as a Member of India Operations Board. He spent his early career in M&A and Corporate Finance advisory at Ernst & Young and GE Capital in United States.

Kapil studied at London Business School and is also a qualified Chartered Accountant.

Sagar has over 23 years experience and has performed senior Finance and HR roles in various technology companies.

Before Volon, he worked as Head of Operations, India/Thailand at Scan-IT Pte. Ltd. (Subsidiary of ‘Scan-Group’, Danish Shipping and Logistics Company).

Sagar holds Diploma in Computer Science from Pune University.

Muslim has over 20 years of Information Security Experience with core focus on Cyber Threat Intelligence, Cyber Risk Management and Cyber security consulting.

Before Volon, he worked at FireEye Inc (US listed Cyber Security Firm) where he headed their Cyber Threat Intelligence Research team. Muslim also worked at iSIGHT Partners (later acquired by FireEye Inc) as one of the initial employees and set up their Cyber Threat Intelligence research team from scratch.

Previously, Muslim was based in Malaysia where he led the information security consulting practice for Network Security Solutions. Muslim is also credited with establishing national level CERT (and also a foreign) and consulting for various corporate CSIRTs.

Muslim holds Masters in Electronic and Communication from Devi Ahilya University.

Prabir has over 35 years of experience performing multiple operational, leadership, business development and sales profile in Government and Enterprise segments. He has more than 13 years of corporate experience, held multiple top-management positions including being on Board of Directors with exhibited Strategic & Sustainable business development traits, client acquisition skills & Sales achievements in domestic market. He comes from a versatile Military communication & IT background having served the Indian Army (Corps of Signals) for two decades before transiting to corporate sector.

Before taking up consulting assignment with VOLON, he led business development of Startup companies engaged in Info-Sec products, Software services and strategic sales in mid-sized IT system Integration Company in Delhi & NCR

Prabir is a full-time MBA from Faculty of Management Studies, Delhi University and also a B.Tech (Electronics & Communication) from JNU (MCTE).