SlideShare ist ein Scribd-Unternehmen logo

Cyber Attacks on Financial _ Vikjava

Security Bootcamp
Security Bootcamp

Cyber Attacks on Financial _ vikjava Security Bootcamp Nha Trang 2017

Internet
1 von 36
Downloaden Sie, um offline zu lesen
Cyber Attacks on Financial
About me I’m not: CISSP, CEH, CHFI, CISA […] Manage information security department to ensure security for the Bank @vikjava
What will be covered? ATM Attacks SWIFT Attacks Why Are Hackers Winning The Security Game? What Does A CISO Do?
THE FAST AND THE FURIOUS
ATM Attacks Hacker’s How To Guide In analyzing the connections, the technicians discovered malware and content that should not have been there, and they concluded that the server was the likely network endpoint exploited by the hackers. They found there had been irregularities in the connection between the voice recording server in London and the bank's internal network and the ATM machines in Taiwan. The bureau said that because First Bank's computer system is a closed network, it suspected that an international ring had hacked into the computer system of the bank's London branch and then obtained the account number of the ATM computer system's administrator, giving the ring access to the internal network After the arrival of the 10 foreign suspects, they used Google Maps to pinpoint the coordinates of the bank branches with the targeted ATMs, police said. They then used the software What's App to report the serial number of the ATM machine they were about to rob to the plan's mastermind in Moscow. That individual then locked on to the machine and used the malware to get the ATMs to "spit" out bills, police have said. In July last year, three Eastern European men have been jailed in Taiwan over the theft of $2.6m (£2.1m) from cash machines around the island.
Case Note: First Bank's computer system is a closed network, it suspected that an international ring had hacked into the computer system of the bank's London branch and then obtained the account number of the ATM computer system's administrator, giving the ring access to the internal network
August 1 and 8, 2016 – Government Bank in Thailand has been stole money from 21 ATMs across many provinces. The hackers made over 12.29 Million Thailand Baht (US$346,000) by inserting cards installed with malware into multiple ATMs to spew out cash, up to 40,000 Baht each transaction.
Case Note: The malware is installed through the EMV chip on the bank card. The ATM goes offline, so the bank will only see a malfunction. This type of attack is called “jackpotting”, as it will empty the cash that is in the machine by bypassing authentication (so no bank account is associated or debited).
Hackers Stole $800,000 From Russian ATMs With Disappearing Malware Hacker’s How To Guide
The researchers aren’t entirely clear who’s behind the attacks but like they did in February, acknowledged that some of the group’s tactics, techniques, and procedures, or TTPs, bear a resemblance to methods used by the groups GCMAN and Carbanak
Case Note: In February that attackers managed to hit 140 enterprises, including banks, telecoms, and government organizations, with the fileless malware. The attackers already had remote access to the bank’s networks through the malware (stage1), but once they were inside, they dropped another piece of malware called ATMitch (stage2) on some bank ATMs that gave them the ability to; dispense money, “at any time, at the touch of a button. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker. If found, the malware reads the one character content from the file and executes the respective command: ‘O’ – Open dispenser ‘D’ – Dispense ‘I’ – Init XFS ‘U’ – Unlock XFS ‘S’ – Setup ‘E’ – Exit ‘G’ – Get Dispenser id ‘L’ – Set Dispenser id ‘C’ – Cancel After execution, ATMitch writes the results of this command to the log file and removes “command.txt” from the ATM’s hard drive. The method was a complete mystery, and the only clues left behind were files containing a single line of English text: "Take the money, bitch." It was fast and furious, and if not for the surveillance cameras that captured the heist in action, two banks in Russia would never have known what occurred last year when eight of their ATMs were drained of cash—nearly a million dollars worth of rubles in a single night.
SWIFT Attacks
Equation Group aka NSA
https://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/ QUANTUMINSERT is described as a ‘HTML Redirection’ attack by injecting malicious content into a specific TCP session
Al Quds Bank for Development and Investment vulnerable to FUZZBUNCH’s NSA exploit Framework (MS17-010)
4 FWs, 2 Mgmt 2 Mgmt Devices 9 SAA Servers JEEPFLEA_MARKET Frontend: Regained access to employee network. (Currently have 8 CODE’s and one UR) Plans to install ZESTYLEAK on VPN Firewalls in the production network as well as find means of triggerable access. Middleware: 2 Management Servers Backend: Collection on 9 SAA Servers • Target: EastNets • Country: Dubai, Belgium, Egypt • Quad: 2 • Collection • 9 SAAs • Admins TOP SECRET//SI//NOFORN
TOP SECRET//SI//NOFORN Management Servers ENSBDMGMT1 ENSBDMGMT2 Tadhamo Ongoing collection on 9 SAA Servers 4 Shared, multi-bank SAA servers Noor Islamic Bank Tadhamon International Islamic Bank Arcapita BankKuwait Fund for Arab Economic Development Al Quds Bank for Development & Investment ASA Firewall Central to all Production Subnets 4 VPN Firewalls LEGEND Front End Middleware Back End UR UR BARGLEE
No access at this time No access at this time No access at this time JEEPFLEA_POWDER Frontend: Working on targeting Admin boxes using SECONDDATE and IRONVIPER Middleware: None at this time Backend : Future backend will be SAA servers • Target: BCG • Country: Venezuela and Panama • Quad: 1 • Collection • None at this time TOP SECRET//SI//NOFORN Plans for Initial Access:
Case Note: A SWIFT Service Bureau, is the kind-of the equivalent of the Cloud for Banks when it comes to their SWIFT transactions and messages, the banks transactions are hosted and managed by the SWIFT Service Bureau via an Oracle Database and the SWIFT Softwares. This is why we see that many of those Service Bureau also offer KYC, Compliance, Anti-Laundering services since they have access to all those transactions as their are the hosting entity for the SWIFT Alliance Access (SAA) of their clients. EastNets As a Certified SWIFT Service Bureau EastNets provides many services related to SWIFT transaction such as compliance, KYC, anti money laundering etc. BCG Business Computer Group is the LatAm strategic partner of EastNets serving Panama and Venezuela. JEEPFLEA is part of the snowden’s codelist. It’s very valuable for an attack to know the relationship between Front- End/Middleware/Backend interfaces. Remember, CISCO had to release an emergency patches for ASA Firewalls last year in emergency after the initial ShadowBrokers exploit releases if EPICBANANA and EXTRABACON. Al Quds Bank for Development and Investment, a Bank based in Ramallah, Palestine as a target—its host was running Windows 2008 R2 which is vulnerable to the exploits catalog of the exploit framework FUZZBUNCH.(document got written (2013)
Lazarus Group
It's worth mentioning here that Lazarus used other false flags in conjunction with this Russian exploit code. They also used some Russian words in one of the backdoors and packed the malware with a commercial protector (Enigma) developed by a Russian author. However, the Russian words in the backdoor looked like a very cheap imitation, because every native Russian speaking software developer quickly noticed how odd these commands were.
Case Note: I don’t trust this
Vendors such as SWIFT and Oracle should use protected process features Bangladesh Bank heist was also due to a 2-bytes patch in liborabdb.dll Prevent random memory injection into a process from another user-land process anything else?
Why Are Hackers Winning The Security Game? On the Internet, attack is easier than defense. There are a bunch of reasons for this, but primarily it's the complexity of modern networked computer systems the attacker's ability to choose the time and method of the attack versus the defender's necessity to secure against every type of attack Bruce Schneier
What Does A CISO Do? At least 85 per cent of the targeted cyber-intrusions it responds to could be mitigated by four basic strategies. Use application whitelisting to help prevent malicious software and unapproved programs from running Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office Patch operating system vulnerabilities Restrict administrative privileges to operating systems and applications, based on user duties Australian Government Department of Defence
References Martijn van der Heide, ThaiCERT VISA Payment Fraud Disruption Technical Analysis @x0rz, @msuiche, @ShadowBrokers, @EquationGroup, @Kaspersky Lab.
Questions or Comments

Empfohlen

Api security-present
Api security-presentApi security-present
Api security-present
Security Bootcamp
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
Security Bootcamp
 
InfoSec Monthly News Recap: April 2017
InfoSec Monthly News Recap: April 2017InfoSec Monthly News Recap: April 2017
InfoSec Monthly News Recap: April 2017
Ettore Fantin
 
Web security
Web securityWeb security
Web security
Padam Banthia
 
black hat deephish
black hat deephishblack hat deephish
black hat deephish
Alejandro Correa Bahnsen, PhD
 
Web security
Web securityWeb security
Web security
kareem zock
 
DeepPhish: Simulating malicious AI
DeepPhish: Simulating malicious AIDeepPhish: Simulating malicious AI
DeepPhish: Simulating malicious AI
Alejandro Correa Bahnsen, PhD
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Kunal Gawade, CFE
 

Empfohlen

Api security-present
Api security-presentApi security-present
Api security-present
Security Bootcamp
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
Security Bootcamp
 
InfoSec Monthly News Recap: April 2017
InfoSec Monthly News Recap: April 2017InfoSec Monthly News Recap: April 2017
InfoSec Monthly News Recap: April 2017
Ettore Fantin
 
Web security
Web securityWeb security
Web security
Padam Banthia
 
black hat deephish
black hat deephishblack hat deephish
black hat deephish
Alejandro Correa Bahnsen, PhD
 
Web security
Web securityWeb security
Web security
kareem zock
 
DeepPhish: Simulating malicious AI
DeepPhish: Simulating malicious AIDeepPhish: Simulating malicious AI
DeepPhish: Simulating malicious AI
Alejandro Correa Bahnsen, PhD
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Kunal Gawade, CFE
 
Ethical Hacking (CEH) - Industrial Training Report
Ethical Hacking (CEH) - Industrial Training ReportEthical Hacking (CEH) - Industrial Training Report
Ethical Hacking (CEH) - Industrial Training Report
Raghav Bisht
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
Sophos Benelux
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Attack chaining for web exploitation
Attack chaining for web exploitationAttack chaining for web exploitation
Attack chaining for web exploitation
n|u - The Open Security Community
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
Aditya K Sood
 
Attacks using local system
Attacks using local systemAttacks using local system
Attacks using local system
Arjun Trivedi
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
Martins Chibuike Onuoha
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporation
sharmaakash1881
 
this is test for today
this is test for todaythis is test for today
this is test for today
DreamMalar
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
JITENDRA KUMAR PATEL
 
Ethical hacking course
Ethical hacking courseEthical hacking course
Ethical hacking course
ChitraKuder
 
Classifying Phishing URLs Using Recurrent Neural Networks
Classifying Phishing URLs Using Recurrent Neural NetworksClassifying Phishing URLs Using Recurrent Neural Networks
Classifying Phishing URLs Using Recurrent Neural Networks
Alejandro Correa Bahnsen, PhD
 
Most Common Application Level Attacks
Most Common Application Level AttacksMost Common Application Level Attacks
Most Common Application Level Attacks
EC-Council
 
What-is-computer-security
What-is-computer-securityWhat-is-computer-security
What-is-computer-security
iamvishal2
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
Imperva
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At Scale
Mayank Dhiman
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Bharat Sabne
 
AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?
AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?
AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?
Alejandro Correa Bahnsen, PhD
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
Animesh Behera
 
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Denis Gorchakov
 
News Bytes
News BytesNews Bytes
News Bytes
Megha Sahu
 

Weitere ähnliche Inhalte

Was ist angesagt?

Classifying Phishing URLs Using Recurrent Neural Networks
Classifying Phishing URLs Using Recurrent Neural NetworksClassifying Phishing URLs Using Recurrent Neural Networks
Classifying Phishing URLs Using Recurrent Neural Networks
Alejandro Correa Bahnsen, PhD
 
AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?
AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?
AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?
Alejandro Correa Bahnsen, PhD
 

Was ist angesagt? (20)

Ethical Hacking (CEH) - Industrial Training Report
Ethical Hacking (CEH) - Industrial Training ReportEthical Hacking (CEH) - Industrial Training Report
Ethical Hacking (CEH) - Industrial Training Report
 
Web security
Web securityWeb security
Web security
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Attack chaining for web exploitation
Attack chaining for web exploitationAttack chaining for web exploitation
Attack chaining for web exploitation
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
Attacks using local system
Attacks using local systemAttacks using local system
Attacks using local system
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporation
 
this is test for today
this is test for todaythis is test for today
this is test for today
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 
Ethical hacking course
Ethical hacking courseEthical hacking course
Ethical hacking course
 
Classifying Phishing URLs Using Recurrent Neural Networks
Classifying Phishing URLs Using Recurrent Neural NetworksClassifying Phishing URLs Using Recurrent Neural Networks
Classifying Phishing URLs Using Recurrent Neural Networks
 
Most Common Application Level Attacks
Most Common Application Level AttacksMost Common Application Level Attacks
Most Common Application Level Attacks
 
What-is-computer-security
What-is-computer-securityWhat-is-computer-security
What-is-computer-security
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At Scale
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?
AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?
AI vs. AI: Can Predictive Models Stop the Tide of Hacker AI?
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
 

Ähnlich wie Cyber Attacks on Financial _ Vikjava

Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
Scientia Groups
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
nooralmousa
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
Robert Leong
 

Ähnlich wie Cyber Attacks on Financial _ Vikjava (20)

Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
 
News Bytes
News BytesNews Bytes
News Bytes
 
Could the Attacks on the SWIFT Network Have Been Prevented?
Could the Attacks on the SWIFT Network Have Been Prevented?Could the Attacks on the SWIFT Network Have Been Prevented?
Could the Attacks on the SWIFT Network Have Been Prevented?
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
Why Organisations Need_Barac
Why Organisations Need_BaracWhy Organisations Need_Barac
Why Organisations Need_Barac
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Carbanak apt eng
Carbanak apt engCarbanak apt eng
Carbanak apt eng
 
Carbanak Rapor Kaspersky
Carbanak Rapor KasperskyCarbanak Rapor Kaspersky
Carbanak Rapor Kaspersky
 
Carbanak apt eng
Carbanak apt engCarbanak apt eng
Carbanak apt eng
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
 
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopPoint of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 

Mehr von Security Bootcamp

GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
Security Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
Security Bootcamp
 
Luc Nguyen - Hiem họa an toan tu cac modem internet cua cac ISP tại Viet Nam
Luc Nguyen - Hiem họa an toan tu cac modem internet cua cac ISP tại Viet NamLuc Nguyen - Hiem họa an toan tu cac modem internet cua cac ISP tại Viet Nam
Luc Nguyen - Hiem họa an toan tu cac modem internet cua cac ISP tại Viet Nam
Security Bootcamp
 

Mehr von Security Bootcamp (20)

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - public
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 
Tran Minh Tri - Bao mat du lieu thoi ky [3.0]
Tran Minh Tri - Bao mat du lieu thoi ky [3.0]Tran Minh Tri - Bao mat du lieu thoi ky [3.0]
Tran Minh Tri - Bao mat du lieu thoi ky [3.0]
 
Luc Nguyen - Hiem họa an toan tu cac modem internet cua cac ISP tại Viet Nam
Luc Nguyen - Hiem họa an toan tu cac modem internet cua cac ISP tại Viet NamLuc Nguyen - Hiem họa an toan tu cac modem internet cua cac ISP tại Viet Nam
Luc Nguyen - Hiem họa an toan tu cac modem internet cua cac ISP tại Viet Nam
 

Kürzlich hochgeladen

Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 

Kürzlich hochgeladen (20)

Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 

Cyber Attacks on Financial _ Vikjava

  • 1. Cyber Attacks on Financial
  • 2. About me I’m not: CISSP, CEH, CHFI, CISA […] Manage information security department to ensure security for the Bank @vikjava
  • 3. What will be covered? ATM Attacks SWIFT Attacks Why Are Hackers Winning The Security Game? What Does A CISO Do?
  • 4. THE FAST AND THE FURIOUS
  • 5. ATM Attacks Hacker’s How To Guide In analyzing the connections, the technicians discovered malware and content that should not have been there, and they concluded that the server was the likely network endpoint exploited by the hackers. They found there had been irregularities in the connection between the voice recording server in London and the bank's internal network and the ATM machines in Taiwan. The bureau said that because First Bank's computer system is a closed network, it suspected that an international ring had hacked into the computer system of the bank's London branch and then obtained the account number of the ATM computer system's administrator, giving the ring access to the internal network After the arrival of the 10 foreign suspects, they used Google Maps to pinpoint the coordinates of the bank branches with the targeted ATMs, police said. They then used the software What's App to report the serial number of the ATM machine they were about to rob to the plan's mastermind in Moscow. That individual then locked on to the machine and used the malware to get the ATMs to "spit" out bills, police have said. In July last year, three Eastern European men have been jailed in Taiwan over the theft of $2.6m (£2.1m) from cash machines around the island.
  • 6. Case Note: First Bank's computer system is a closed network, it suspected that an international ring had hacked into the computer system of the bank's London branch and then obtained the account number of the ATM computer system's administrator, giving the ring access to the internal network
  • 7. August 1 and 8, 2016 – Government Bank in Thailand has been stole money from 21 ATMs across many provinces. The hackers made over 12.29 Million Thailand Baht (US$346,000) by inserting cards installed with malware into multiple ATMs to spew out cash, up to 40,000 Baht each transaction.
  • 8. Case Note: The malware is installed through the EMV chip on the bank card. The ATM goes offline, so the bank will only see a malfunction. This type of attack is called “jackpotting”, as it will empty the cash that is in the machine by bypassing authentication (so no bank account is associated or debited).
  • 9. Hackers Stole $800,000 From Russian ATMs With Disappearing Malware Hacker’s How To Guide
  • 10. The researchers aren’t entirely clear who’s behind the attacks but like they did in February, acknowledged that some of the group’s tactics, techniques, and procedures, or TTPs, bear a resemblance to methods used by the groups GCMAN and Carbanak
  • 11. Case Note: In February that attackers managed to hit 140 enterprises, including banks, telecoms, and government organizations, with the fileless malware. The attackers already had remote access to the bank’s networks through the malware (stage1), but once they were inside, they dropped another piece of malware called ATMitch (stage2) on some bank ATMs that gave them the ability to; dispense money, “at any time, at the touch of a button. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker. If found, the malware reads the one character content from the file and executes the respective command: ‘O’ – Open dispenser ‘D’ – Dispense ‘I’ – Init XFS ‘U’ – Unlock XFS ‘S’ – Setup ‘E’ – Exit ‘G’ – Get Dispenser id ‘L’ – Set Dispenser id ‘C’ – Cancel After execution, ATMitch writes the results of this command to the log file and removes “command.txt” from the ATM’s hard drive. The method was a complete mystery, and the only clues left behind were files containing a single line of English text: "Take the money, bitch." It was fast and furious, and if not for the surveillance cameras that captured the heist in action, two banks in Russia would never have known what occurred last year when eight of their ATMs were drained of cash—nearly a million dollars worth of rubles in a single night.
  • 13.
  • 14.
  • 16. https://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/ QUANTUMINSERT is described as a ‘HTML Redirection’ attack by injecting malicious content into a specific TCP session
  • 17.
  • 18.
  • 19.
  • 20. Al Quds Bank for Development and Investment vulnerable to FUZZBUNCH’s NSA exploit Framework (MS17-010)
  • 21. 4 FWs, 2 Mgmt 2 Mgmt Devices 9 SAA Servers JEEPFLEA_MARKET Frontend: Regained access to employee network. (Currently have 8 CODE’s and one UR) Plans to install ZESTYLEAK on VPN Firewalls in the production network as well as find means of triggerable access. Middleware: 2 Management Servers Backend: Collection on 9 SAA Servers • Target: EastNets • Country: Dubai, Belgium, Egypt • Quad: 2 • Collection • 9 SAAs • Admins TOP SECRET//SI//NOFORN
  • 22. TOP SECRET//SI//NOFORN Management Servers ENSBDMGMT1 ENSBDMGMT2 Tadhamo Ongoing collection on 9 SAA Servers 4 Shared, multi-bank SAA servers Noor Islamic Bank Tadhamon International Islamic Bank Arcapita BankKuwait Fund for Arab Economic Development Al Quds Bank for Development & Investment ASA Firewall Central to all Production Subnets 4 VPN Firewalls LEGEND Front End Middleware Back End UR UR BARGLEE
  • 23. No access at this time No access at this time No access at this time JEEPFLEA_POWDER Frontend: Working on targeting Admin boxes using SECONDDATE and IRONVIPER Middleware: None at this time Backend : Future backend will be SAA servers • Target: BCG • Country: Venezuela and Panama • Quad: 1 • Collection • None at this time TOP SECRET//SI//NOFORN Plans for Initial Access:
  • 24.
  • 25.
  • 26. Case Note: A SWIFT Service Bureau, is the kind-of the equivalent of the Cloud for Banks when it comes to their SWIFT transactions and messages, the banks transactions are hosted and managed by the SWIFT Service Bureau via an Oracle Database and the SWIFT Softwares. This is why we see that many of those Service Bureau also offer KYC, Compliance, Anti-Laundering services since they have access to all those transactions as their are the hosting entity for the SWIFT Alliance Access (SAA) of their clients. EastNets As a Certified SWIFT Service Bureau EastNets provides many services related to SWIFT transaction such as compliance, KYC, anti money laundering etc. BCG Business Computer Group is the LatAm strategic partner of EastNets serving Panama and Venezuela. JEEPFLEA is part of the snowden’s codelist. It’s very valuable for an attack to know the relationship between Front- End/Middleware/Backend interfaces. Remember, CISCO had to release an emergency patches for ASA Firewalls last year in emergency after the initial ShadowBrokers exploit releases if EPICBANANA and EXTRABACON. Al Quds Bank for Development and Investment, a Bank based in Ramallah, Palestine as a target—its host was running Windows 2008 R2 which is vulnerable to the exploits catalog of the exploit framework FUZZBUNCH.(document got written (2013)
  • 28.
  • 29.
  • 30. It's worth mentioning here that Lazarus used other false flags in conjunction with this Russian exploit code. They also used some Russian words in one of the backdoors and packed the malware with a commercial protector (Enigma) developed by a Russian author. However, the Russian words in the backdoor looked like a very cheap imitation, because every native Russian speaking software developer quickly noticed how odd these commands were.
  • 31. Case Note: I don’t trust this
  • 32. Vendors such as SWIFT and Oracle should use protected process features Bangladesh Bank heist was also due to a 2-bytes patch in liborabdb.dll Prevent random memory injection into a process from another user-land process anything else?
  • 33. Why Are Hackers Winning The Security Game? On the Internet, attack is easier than defense. There are a bunch of reasons for this, but primarily it's the complexity of modern networked computer systems the attacker's ability to choose the time and method of the attack versus the defender's necessity to secure against every type of attack Bruce Schneier
  • 34. What Does A CISO Do? At least 85 per cent of the targeted cyber-intrusions it responds to could be mitigated by four basic strategies. Use application whitelisting to help prevent malicious software and unapproved programs from running Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office Patch operating system vulnerabilities Restrict administrative privileges to operating systems and applications, based on user duties Australian Government Department of Defence
  • 35. References Martijn van der Heide, ThaiCERT VISA Payment Fraud Disruption Technical Analysis @x0rz, @msuiche, @ShadowBrokers, @EquationGroup, @Kaspersky Lab.