back to article Hackers faked Cosmos backend to hoodwink bank out of $13.5m

Security researchers have taken a deep dive into the cyber attack on the SWIFT/ATM infrastructure of Cosmos Bank, the recent victim of a $13.5m cyber-heist. Experts at Securonix have outlined the most likely progression of the attack against the bank, the latest financial institution to face hacks blamed on state-backed North …

  1. fm+theregister

    It is all about penetration testing

    While companies and gov-entities still insist in not conduct real-world pen-testing, security will never improve.

    If you choose to take a pentest with restrictions, for world+dog only to "see" how good your security is, this will keep happening.

    real world attackers (and gov agencies) use - bribing, woman, booze. it is up to the banks (and gov entities) to conduct real-world pentest and avoid this to happen again and again.

    its a never-ending game. dangerous game.

    1. c1ue

      Re: It is all about penetration testing

      Yes and no.

      I've never heard of any institution that permits pen-testing of its actual deployed core infrastructure.

      I very much doubt pen-testers were ever allowed to touch the ATM backbone. A penetration which compromises functionality - even for a short period of time - would immediately result in people getting fired.

      1. Anonymous Coward
        Anonymous Coward

        Re: It is all about penetration testing

        I've never heard of any institution that permits pen-testing of its actual deployed core infrastructure.

        Really? Maybe they're just not telling you about it. Current employer does it, one before that I wasn't in a position to know, the one before that did it, the one before that did it,.. and that takes me back to 2005. (I know they did, because I commissioned them. One's a highly regulated FS firm, ditto previous, before that a provider of hosted services with many large corp and public sector customers.

        What you do is to tell them about specific systems / IPs / hostnames considered production, and make sure they know to be extremely careful with them, and to make sure you monitor / supervise any progress they make.

    2. Tom Paine Silver badge

      Re: It is all about penetration testing

      real world attackers (and gov agencies) use - bribing, woman, booze.

      Such attacks are extremely expensive to carry out, and risky (as there's a human being who can, if detected. be tracked, surveilled, captured, interrogated etc.) There's a lot of highly specialised tradecraft involved. And so on. Very, very few organisations have that class of attacker in their threat models, for the obvious reason that either they're not a threat, or because realistic defences against such attacks would be too much trouble and money to be worth it. For instance, you start with DV-level vetting of all your staff, firing everyone who fails it. Your firm wouldn't have any problem losing 50% of it's headcount, right?

      If they want you that much, they'll send ninja scuba divers up through the sewers at 4am to plant pinhead audio bugs that can relay the sound of typing to someone who can reconstruct the keystrokes, or whatever.

  2. Anonymous Coward
    Anonymous Coward

    I don't quite understand

    Any half competent criminal hacker will try to use Windows Admin Shares for lateral movement so why is this considered a hallmark of the Lazarus Group ? To me it looks more like a basic technique.

    What's next, a ping as a indubitable proof of Fancy Bear at work ?

  3. Walter Bishop Silver badge
    Facepalm

    Hack against third-party interface

    Ahem ...

    Hackers were then in a position to establish a malicious ATM/POS switch in parallel with the existing (legit) system before breaking the connection to the backend/Core Banking System (CBS) and substituting their own counterfeit system in its place.”

    What was this ATM/POS switch even doing on the Internet?

    1. Crazy Operations Guy

      Re: Hack against third-party interface

      Might not have been, the bank could've left the admin port exposed to the links the ATMs use to connect to the network. In that way all the group needed to do was to compromise a single ATM, something that would be fairly easy to do with enough resources (Easiest way would be to practice on stolen ATMs, then bribe or extort the clerk at a store to look the other way while they compromise a live ATM).

      Or maybe the switch had a security bug that allowed connected clients to perform admin functions. This is simply a risk when you have clients in untrustable locations accessing sensitive networks. Its an unavoidable risk since those remote machines have to have access to do their thing. This was likely their downfall, they thought that jsut because the interface was only on a trusted network, that they were safe.

      Not absolving the bank, they really needed to be much more vigilant to things going on on their network and their remote devices should always do some kind of mutual authentication to ensure that they aren't talking to an exploited or counterfeit machines.

      1. Tom Paine Silver badge

        Re: Hack against third-party interface

        Or poor network segregation, weak controls of admin accounts and working practices, unhardedened systems on the same desktop network as Reception being used for administration of production systems, poort staff awareness,.. tons and tons of stuff that could have lead to the attackers getting access to the switch.

        As you say, I doubt it was itself directly "on the internet".

  4. Version 1.0 Silver badge

    Meanwhile, back at the voting booth ...

    Nobody's worried, an attack of this scale could never happen during an election could it?

    1. scrubber

      Re: Meanwhile, back at the voting booth ...

      You'd never be able to find out if there was a hack as the terminals are all closed source, proprietary software so even the election officials are not allowed to check the authenticity of votes cast anyway. As long as the voting machine owners don't get too greedy and start giving their chosen candidates 101% of the vote then they can pick and choose the winners to their hearts' content.

      1. imanidiot Silver badge

        Re: Meanwhile, back at the voting booth ...

        And yet the politicians still insist on using electronic voting machines. "For voter convenience". I wonder why...

  5. Prst. V.Jeltz Silver badge

    "Either targeted spear phishing and/or a hack against a remote administration/third-party interface"

    or inside job?

  6. Prst. V.Jeltz Silver badge

    does this mean that a lot of other innocent transactions that happened to hit that "switch" were never accounted for?

    1. M man

      who to say....i wouldnt :P

  7. Tikiman

    I guess all those old tech company experts laid off by Cisco and Juniper found better paying jobs after all...

  8. Anonymous Coward
    Anonymous Coward

    New systems?

    Cosmos signed up to introduce a new switch system back at the end of 2015 / start of 2016 - smartvista from Russian company BPC. Their core banking systems were also provided by infosys.

    Sounds like a position where cosmos staff were looking after a new system they weren’t familiar with. I don’t know if they would have hired new staff, contractors or trained up internal staff to look after the new system.

    However, over the last couple of years they would have completely changed their switch which would have involved recreating every single account, card, authorisation rule and CBS authorisation and response.

    This would have been done by BPC initially, and then internally after that. If there is a completely new system in place with less experienced staff monitoring it then it is going to be easier to subvert / modify parts of that system for fraud like this one.

    Smartvista’s front end is just a gui that anyone within the organisation could access. They just need access to an admin account / password on smartvista to make some changes.

    I hope this isn’t the case for cosmos, but it sounds like a combination of inadequate controls on a system they were not familiar with causing weaknesses that were exploited.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019