Attackers have successfully compromised another bank using the SWIFT messaging system for money transfers, and deployed malware that used an exploit for a vulnerability in PDF software.
The attack was a multi-stage effort and officials at SWIFT (Society for World Interbank Financial Telecommunications) say that the attackers have a deep understanding of bank networks and the way that the SWIFT system works. SWIFT is a messaging system used by banks and other financial institutions to exchange information about funds transfers and other transactions, and it’s one of the keystones of the international financial system. Last month, details emerged that showed attackers had targeted SWIFT in the $81 million theft at the Bank of Bangladesh.
Now, SWIFT officials are warning banks about another attack that also involved criminals gaining access to a bank’s infrastructure and using valid credentials to submit fraudulent messages to the SWIFT system. That compromise allowed them to transfer funds and also hide their tracks inside the bank’s network.
“This is clearly a highly adaptive campaign targeting banks’ payment endpoints.”
“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both,” the warning from SWIFT, issued Friday, says.
“In the earlier case we reported to you, and this particular case we can confirm that: malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network. The modus operandi of the attackers is similar in both cases.”
That methodology starts with an initial compromise of the target bank’s network, whether from an external attack or an insider. The attackers then steal valid credentials for the SWIFT system and begin submitting fraudulent messages and initiating transfers to accounts that they control. They then hide the traces of the fraudulent messages and move on. The new attack, which hit a commercial bank, used malware that was able to compromise the PDF reader software used by the victim bank.
“In this new case we have now learnt that a piece of malware was used to target the PDF reader application used by the customer to read user generated PDF reports of payment confirmations,” the warning letter says.
“Once installed on an infected local machine, the Trojan PDF reader gains an icon and file description that matches legitimate software. When opening PDF files containing local reports of customer specific SWIFT confirmation messages, the Trojan will manipulate the PDF reports to remove traces of the fraudulent instructions.”
SWIFT officials are warning banks to review their security controls and to take special care with PDFs. Outside of these recent attacks, PDF software is a frequent target for attackers, especially Adobe’s Reader application. The SWIFT letter doesn’t identify the PDF client targeted in the attack, but warns banks that “this is clearly a highly adaptive campaign targeting banks’ payment endpoints.”