Reportedly cyber criminal was able to infiltrate in Cosmos bank’s network to the extent that he was able to get clear access to SWIFT network and bypassing other payment authentication network. Using this access including the SWIFT access the actor initiated money transfer outside India to a foreign bank and debit cards causing a total loss of $13.5 Million (INR 940 Million) between August 11-13, 2018
Volon’s opinion published in Times of India
How might have the actor obtained the SWIFT/Netowrk access:
Actors normally deploys following modes to obtain initial access:
- Buy access in Darknet/Deepweb. (Our research team has seen quite a few SWIFT access related adverts in past year – one of them specifically seeking access to Indian banks SWIFT network and claimed to bypass its authentication. The actor also claimed that it wont be until 48 hours before bank security is able to detect the infiltration. Now that is more than enough time to complete the cash out)
- Compromise ATM or any other external network to gain entry in the bank’s corporate network , then move laterally to gain access to SWIFT System
- Compromise System/security personnel via a targeted attack and utilize his system for lateral movement to connect to SWIFT terminal
Attack Cycle of an Actor:
Typically would look something like below:
Breach is hard to detect due to multiple reasons:
Credential breaches that involve social engineering are not detected by preventive technologies like firewall, anti-viruses etc. “A way to visualize this is to imagine the exposed attack surface as though it were a balloon. The more users, assets, and technologies that are introduced, the more the surface expands. The larger this surface, the more ways an attacker could potentially become a network threat. This is also true for mobile devices and cloud services. As more things move to the cloud, the bigger the attack surface will grow because you have less control over what your users log into and where your data is stored, making it harder to monitor activity outside your network. And much like how a balloon can get so big it pops, the bigger the attack surface, the higher the risk of an organization experiencing attack should they not perform proper attack surface management.”
Another reason is the lack of investment in Internal security. The teams are often strained under the onslaught of attacks and investigating false alarms as organizations receive a ton of alerts from many different parts of their security stack, and validating that they are real and the investigation that follows is time consuming. This results in them missing the real threats.
Banks need to increase their focus:
While banks tend to focus on the latest security technologies to strengthen internal system security, they often ignore the threats originating from external environments. There are Cyber Threat Intelligence services in the market that provides the complete threat lifecycle services including the view from adversary perspective.
What has Volon research team gained from Darknet research:
In our cyber threat research experience we scan Darknet (through human intelligence) and Cyber Underground Markets. We often come across actors selling breached data base or network access in return of financial consideration. We did came across a Darknet actor about 8 months ago who was looking for SWIFT access of Indian banks. He also claimed to posses a software that could bypass SWIFT authentication – it is important to note the same in the context of Cosmos Bank attack as prima facie the actor bypass SWIFT authentication.
What do we Advise our clients:
- Avoid Password Reuse: Threat actors look for soft targets for initial infections looking in to leaked credentials and identifying any case of password reuse to gain access.
- Keep an eye on external threat environment: In addition to internal network controls, Banks (& other organizations) should keep an eye of external threat environments including the industry/sector. Learnings from attacks on other same industry organization is a good foundation to build a strong threat prevention program.
- Generate Actionable Insights: Organizations should also create a strong framework to integrate threat intelligence and convert it in to actionable insights. Ability to effectively operationalize intelligence has always been a challenge for security team and CISOs across the industry. Build In-house Talent: Organizations should look for building in-house threat intelligence teams which can help in consuming third party intelligence effectively.