By: Mary Anne Colucci, LSC Director of Fraud and Risk
LSC has received limited information on a potential attack on the SWIFT Bank-Transfer System.
SWIFT stands for the Society for Worldwide Interbank Financial Telecommunications. SWIFT provides a secure network that allows financial institutions to send and receive payment. SWIFT does not actually transfer the money; it sends messages back and forth.
An attack in 2018 used a malware package to disrupt systems and as a distraction from fraudulent wire transfers submitted through the SWIFT payment system. This type of attack is known to require substantial expertise and planning; and it is thought that the attackers were targeting various international financial institutions. To mitigate risks associated with this type of incident, it is important to review your security controls, including:
• Examine fund transfer systems, processes and procedures in depth to ensure they are hardened against attack.
• Monitor payments systems for unusual and/or unauthorized transfer requests.
• Utilize strong system and network monitoring practices to identify suspicious and/or malicious activity.
• Ensure systems are fully patched and up-to-date, including the latest anti-virus signatures.
• Implement strong email controls to protect against phishing attacks.
– Utilize anti-spam, anti-phishing, anti-virus and sandboxing techniques to protect against malicious links and attachments.
– Maintain an active anti-phishing training and awareness program.
• Conduct periodic vulnerability scanning and penetration testing to identify weaknesses, and remediate as necessary.
• Maintain strong network access, segmentation and intrusion-detection controls.
• Restrict ingress and egress traffic to what is required for business use.
• Ensure your business continuity planning includes resiliency to cyber-attacks that may degrade or impair multiple employee and/or critical systems.
ATM Cash-Out Attack “FastCash”
A new cyber-attack, dubbed “FASTCash,” is similar in nature to prior attacks, yet it is not known at this time if there may be an ATM cash-out component.
Hidden Cobra, the North Korean Advanced Persistent Threat (APT) hacking group, has been using this attack to cash out ATMs since at least 2016 by remotely compromising switch application servers at various financial institutions where they had accounts (and payment cards) with minimal activity or zero balances.
The malware installed on the compromised switch-application servers then intercepted transaction requests associated with the attackers’ payments cards and responded with fake but legitimate-looking affirmative messages without actually validating available balances. The fraudulent messages manipulated ATMs into dispensing large amounts of cash without notifying the institution.
The initial infection vector used to compromise networks is unknown; however, experts believe the APT threat actors used spear-phishing emails containing malicious Windows executables and targeted employees at different financial institutions. Once opened, the executable infected computers with Windows-based malware, allowing hackers to move laterally through an institution’s network using legitimate credentials to deploy malware onto the payment switch application server.
To help mitigate the risks of these attacks, please refer to the following security recommendations:
• Require multi-factor authentication for all user access to the switch application server and for all accounts with administrative access.
• Require chip-and-PIN validation for all debit card ATM transactions.
• Encrypt data in transit.
• Monitor transactions for anomalous behavior.
• Ensure all system patches are up to date.
• Be mindful of phishing and/or other attack vectors where malicious software can be installed onto your systems.