As soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries, according to a report on cyber attacks on banks by Positive Technologies.
The weakest link in bank security is the human factor, the report said, with attackers able to bypass the best-protected network perimeter easily with the help of phishing.
Phishing messages can be sent to bank employees both at their work and personal email addresses, and this method for bypassing the network perimeter has been used by almost every criminal group, including Cobalt, Lazarus, Carbanak, Metel, and GCMAN, the report said.
In tests by Positive Technologies, employees at 75% of banks reviewed had clicked on links in phishing messages, and those at 25% of banks entered their credentials in a fake authentication form. At 25% of banks, at least one employee ran a malicious attachment on their work computer.
With access to the internal network of client banks, Positive Technologies penetration testers succeeded in obtaining access to financial applications in 58% of cases.
At 25% of banks, they were able to compromise the workstations used for the management of automatic teller machines (ATMs), which means the banks tested were vulnerable to techniques similar to ones used by Cobalt and other cyber criminal gangs in actual attacks.
Moving money to criminal-controlled accounts through interbank transfers, a favourite method of the Lazarus and MoneyTaker groups, was possible at 17% of tested banks, while at the same proportion of banks, card processing systems were poorly defended, which would enable attackers to manipulate the balance of card accounts. Such attacks were recorded in early 2017 against banks in Eastern Europe.
The Carbanak group, notorious for its ability to attack nearly any bank application, would have been able to steal funds from more than half of the tested banks, the report said. It added that on average, an attacker able to reach a bank’s internal network would need only four steps to obtain access to key banking systems.
Although the report notes that banks tend to do a better job than other companies of protecting their network perimeter, it is still a concern that penetration testers could access the internal network at 22% of banks, compared with 58% of all companies tested.
In all test cases, social engineering was not used and access was enabled by vulnerabilities in web applications, with such methods used in the wild by such Groups as ATMitch and Lazarus, the report said.
Penetration testers concluded that banks are at risk due to remote access, describing it as “a dangerous feature” that often leaves the door open to access by external users.
The most common types are the SSH (secure shell) and Telnet protocols, which are present on the network perimeter of over half of banks, as well as protocols for file server access, found at 42% of banks.
Another key finding of the report is that attackers often gain access to banks’ internal networks by compromising business partners and contractors, who may poorly secure their networks, and place malware on sites known to be visited by bank employees, as seen with Lazarus and Lurk.
After criminals obtain access to the bank’s internal network, they need to obtain local administrator privileges on servers and employee computers. To continue their attack, the criminals rely on two key “helpers”: weak password policies, and poor protection against recovery of passwords from operating system (OS) memory, the report said.
Penetration testers found almost half of banks tested used dictionary passwords on the network perimeter and every bank had a weak password policy on its internal network. Weak passwords are set by users on roughly half of systems.
Testers also found default accounts with predictable passwords left behind after use for administrative tasks, including installation of databases, web servers, and operating systems.
A quarter of banks used the password “P@ssw0rd”. Other common passwords include “admin”, keyboard combinations resembling “Qwerty123”, blank passwords, and default passwords.
Once inside a network, the report said attackers could often move about freely using known vulnerabilities and legitimate software that does not raise red flags among administrators. By taking advantage of flaws in protection of the corporate network, attackers quickly obtain full control of the bank's entire digital infrastructure.
Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said it is possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken.
“Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions. It’s critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations centre,” she said.
The report notes the importance of detecting that an attack is in progress, saying: “It is critical to configure notifications from protection systems and react to notifications immediately.” It added that security events should be monitored constantly.
“Cyber crime is continuing to evolve and advance quickly, making it crucial that instead of hiding incidents, banks pool their knowledge by sharing information on industry attacks, learning more about relevant indicators of compromise, and helping to spread awareness throughout the industry,” the report said.