Editor’s Note: This post was originally published on 28th October 2018 and is being continuously updated with latest information.
Hackers have waged a sophisticated cyber-attack against BankIslami, an Islamic bank in Pakistan, resulting in the theft of around $6 million via fraudulent payments through ATM and POS from different countries. Reports claim that 5000 accounts have been compromised in this attack and that it might be the biggest cyber-attack in the history of Pakistan.
The alleged security breach first came to light on October 27, when certain abnormal transactions were detected by the bank on one of its international payment card scheme. Also, customers of the bank received automated messages about their payment cards being used in different countries. The bank tried to hide the breach until the hackers possibly used dark web to publish information of payment cards and PINs for sale for about $75. The bank has temporarily shutdown all transactions routing through international payment scheme.
“As a result of security breach of payment cards of one of the banks in Pakistan yesterday and their unauthorized use on different delivery channels i.e. at ATMs and POS in different countries, the bank has temporarily restricted usage of its cards for overseas transactions,” State Bank said in a statement yesterday.
SBP instructed the affected bank to take all necessary measures to trace the vulnerability and fix it immediately.
The affected bank has also been directed to issue advisory on precautionary measures that should be taken by customers.
SBP said that it would continue to assess these developments in coordination with banks and take further measures, if required. The banks across Pakistan are directed to ensure that security measures on all IT systems including those related to card operations are continuously updated to meet any challenges in future.
Apparently, FASTCash schemes can possibly be an attack vector for this hack, which remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.
When a payment card is used in an ATM or PoS machine, the machine communicates with the bank’s switch application server to validate the transaction, and then accepts or declines based on bank balance. The malware installed on the compromised switch application servers fraudulently intercepts transaction request associated with the attackers’ payment card. It then responds with fake but legitimate-looking affirmative response without checking their available balance with the core banking systems. Eventually, machine is fooled into processing or spitting out large amounts of cash without sending a notification to the bank.
Rewterz had published important advisories on similar attacks earlier this month, Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash and North Korean State-Funded APT38 Launches Financially Motivated Attacks Worldwide that include mitigation recommendations for institutions that have payment processing systems.
“Since at least 2014, hacker group involved in FASTCash campaign has conducted operations in more than 16 organizations in at least 11 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources,” FireEye researchers said in a blog post.
Based on known attacks, an APT attacker spends an average of 155 days camped out in an attacked organization’s networks, whereas, in one case they had two years of access to a victim’s network, FireEye says.
“APT attacker executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom-developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards,” FireEye says.
“The group is careful, calculated and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions and system technologies to achieve its goals.”
The U.S. Computer Emergency Readiness Team issued an alert about “malicious cyber activity by the North Korean government” – which it refers to as Hidden Cobra – perpetrating an ATM cash-out scheme, which the U.S. government refers to as “FASTCash.”
US-CERT’s “Hidden Cobra – FASTCash Campaign” alert says that the attack campaign has been operating since 2016 and so far targeted institutions in Asia and Africa with malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”
“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise Hidden Cobra actors used spear-phishing emails in targeted attacks against bank employees,” US-CERT says, “Hidden Cobra actors likely used Windows-based malware to explore a bank’s network to identify the payment switch application server.”
Attackers will likely move beyond targeting banks, US-CERT warns. “The U.S. government assesses that Hidden Cobra actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation,” it says.
As you are probably aware that some of the analysis are connecting this attack with Pakistani banks’ cards data being up for sale on dark web. According to various sources, a report is being circulated regarding the sale of Pakistani banks’ card data that shows that more than 8000 cards of different banks are available for sale on the dark web and carding websites.
Rewterz Threat Intelligence Team has carried out an in-depth analysis and appears to assume that this report has been created based on a 3rd category Dark Web Card Shop. Mostly, 3rd category shops are easily accessible and doesn’t ensure reliable data. The cards dump was posted on a shop yesterday, however, it was taken down by the seller on the same day. Based on further analysis, the dump consisted of old skimmed cards data of different banks, so probably 99.9% of the data is either bogus or blocked cards. Research shows that reliable and authentic data is available on 1st category card shops which have verified cards available and they are on sale with refund offer if it doesn’t work. Our threat intelligence team is further investigating and endeavouring to acquire all the data available for cards so that further analysis can be carried out.
Therefore, it can be assumed that in order to create a chaos and further exploit the mayhem in Pakistan, the seller consolidated all the skimmed cards data available from past and posted together.
According to our intelligence, the hackers have done a targeted and sophisticated attack on local bank, similar to what we have seen in FashCASH. Skimmed cards don’t have capacity of launching an attack on this scale.
Rewterz’s SOC team has released specific recommendations for the internal security monitoring and incident response teams, to help them detect such advanced APT attacks.
Following should be enabled and integrated to detect such advance APT attacks on your centralized security monitoring platform, such as SIEM or Log Management: