Three banks in Bangladesh hit by cyber attack
Recently three local private banks suffered major cyberattacks last month in Bangladesh. Of the three, Dutch Bangla Bank Limited (DBBL) is the biggest victim, losing approx. USD 3 million (around Tk 25 crore) to global cybercriminals, according to “The Daily Star” newspaper. Two other banks -- NCC Bank and Prime Bank -- also faced cyberattacks, but they have claimed that they were able to avert financial losses. This is the biggest cyberattack in Bangladesh after the hackers made off with USD 81 million from Bangladesh Bank’s account with the Federal Reserve Bank of New York in February 2016.
These types of attack always raise the concern of Information Security robustness in the Banking Systems. The cybercriminals are getting collaborative in hacking, but organizations are not learning lessons from the cyber security incidents happening globally or within the industry. According to the same newspaper, in this cyberattack, the hackers planted a malware in the Bank’s Switch around three months ago and made a perfect replica of the switch (Proxy or Shadow Switch), which was not detected by the Bank.
The hacker was able to siphon around USD 3 million between May 1 and 3, 2019 from cash machines in Cyprus, Russia and Ukraine. However, the Bank (DBBL) came to know about the fraudulent transaction when VISA asked the Bank for settling the payment transactions made in Cyprus. It shows that there is some gap in building robust reconciliation process for the transactions. Also, it shows that these Banks have not implemented Enterprise Fraud Risk Management Solutions else they could have easily detected these kinds of anomalous transaction originating in different countries and could have been alerted in shortest time and could have saved enormous siphoning of funds.
The similar modus operandi of the cyberattack could be seen in COSMOS Bank (Pune, India) Cyberattack in August 2018 where the hacker made malware attack on the SWITCH and siphoned around INR 80 crore by using Proxy Switch system and self approving the transaction made by the attackers.
So these type of incidents shows that organizations are not learning lessons from cyber incidents happening in their industry. Though in India, the regulator (RBI) has issued various advisories to secure critical Infrastructure like SWITCH, ATM, SWIFT, CBS etc. and also been regularly sharing the IOCs (Indicator of Compromise) to the member Banks to take pro-active action. Though regulators have been issuing advisories and also taking confirmation for the action taken by the member banks against such advisories issued by them to curb this type of cyberattacks. However, the organization needs to collaborate with other organizations/ industries to adopt best practices and share intelligence.
Some security hygiene which should be in place in Banks or any payment organizations are:
1. Isolation of critical infrastructure from general IT environment (at least virtually)
2. Robust reconciliation procedure for all payment transactions, they may utilize RPA (Robotics Process Automation) to bring automation in reconciliation process to weed out manual error
3. Implementing strong security solutions like Anti-APT on servers and endpoints which can detect anomalous behavior of a malware.
4. Patching the critical infrastructure with latest patch available (at least for security patch)
5. Monitoring the activity of administrators on the critical infrastructure
6. Using PIM/PAM solutions to restrict privilege escalations and providing role-based access to the user
7. Restricting the user logons from elsewhere on the network (type3), access through Terminal Services, Remote Desktop or Remote Assistance (type10) and monitored for potential unauthorized access
8. Implementation of Enterprise Fraud Risk Management Solutions to detect and respond to any anomaly in transactions
9. Integrating the critical infrastructure with SIEM to monitor and alert any anomaly in real-time basis. It should also include IOCs shared by the regulators or threat intelligence agency.
10. Disable PowerShell in servers where not required and disable PowerShell in Desktop systems.
11. Firewall rules to be monitored to block any unidentified outbound connections, reverse TCP shells or other potential backdoor connections. Alert should go to SIEM for any such connection requests.
12. Block execution of unknown files or executables, potentially unwanted application as part of hardening configurations. Develop Hardening Baseline document and apply the same to all Infrastructure in your environment.
13. Periodically conducting VA/PT exercise to detect any vulnerabilities existing in this Infrastructure
The author is ICT Security, Risk & Compliance Manager at CNH Industrial