Banks around the world are being urged to revisit their security controls after a second Swift customer was hit by a malware attack designed to steal funds, following the $81 million heist from Bangladesh Bank in February.
Swift, which operates a network for banks to manage transfers and the like, revealed the news in a lengthy statement on Friday.
Once again it claimed that its own “core messaging services and software” had been unaffected but that the attack was aimed at the unnamed bank’s “secondary controls.”
“Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks,” Swift said in the statement.
“In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over Swift.”
The second attack differed from that on the Bangladesh central bank in that it also uses PDF Reader malware to manipulate PDF reports of payment confirmations – hiding evidence of the fraudulent transactions initiated by the cyber crooks.
Aside from that, the two attacks were very similar, Swift said. Attackers first compromise the targeted bank before gaining privileged credentials which they use to authorize Swift messages from the bank, transferring money out. The final step is to hide evidence of the fraudulent messages.
Swift claimed that the hackers clearly know what they’re doing.
“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both,” it said.
The news comes as Bangladesh Bank staff accused Swift technicians earlier in the week of leaving a lot of security loopholes when they were connecting the bank’s real-time gross settlement (RTGS) system to the Swift network, according to Reuters.
They failed to put in firewalls to segment networks, left a poorly protected wireless network up-and-running and failed to disable USB ports on PCs connected to the Swift network, it is alleged.
Swift has since rejected those claims, reiterating that its customers are responsible for their own security.
Matthias Maier, security evangelist at Splunk, argued that this second attack should be a wake-up call to the banking industry.
“These are not isolated incidents. Serious investigations must follow given the custom-built nature of the malware used in these attacks,” he added.
“It appears to have been created by someone with an intimate knowledge of how the Swift software works as well as its business processes, which is cause for concern. However, basic system monitoring at the bank would have stopped this at the server endpoint by tracking system changes in real time, triggering alerts to analysts.”
Other Swift customers must now compare IoCs released by investigators at BAE Systems with their own data to check if they too have been hit.
It hasn’t yet been revealed whether the hackers were successful in this second attack and, if so, how much they managed to steal.