My Kingdom for a VLAN | TechSNAP 267

Posted on: May 19, 2016

A typo stops a billion dollar bank hack, a vulnerability in 7zip that might surprise you & the best solutions for secure remote network access.

Your great questions, our answers, a packed round up & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Attackers compromise banks and steal millions

Attackers compromised the credentials of Bangladesh Bank (the Country’s central bank), and used those credentials to make SWIFT wire transfers
“Cyber criminals broke into Bangladesh Bank’s system and in early February tried to make fraudulent transfers totaling $951 million from its account at the Federal Reserve Bank of New York.”
Using the credentials, they started a wave of transfers. The first four went through, transferring a total of more than $81 million, the largest bank heist in history
The fifth, was stopped only because of a typo
“a transfer for $20 million, to a Sri Lankan non-profit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation. Hackers misspelled “foundation” in the NGO’s name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction”
“The details of how the hacking came to light and was stopped before it did more damage have not been previously reported. Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.”
“The transactions that were stopped totaled $850-$870 million, one of the officials said”
So if it wasn’t for the typo, the hackers may have made off with almost $1 billion
“Bangladesh Bank has said it has recovered some of the money that was stolen, and is working with anti-money laundering authorities in the Philippines to try to recover the rest.”
“More than a month after the attack, Bangladeshi officials are scrambling to trace the money, shore up security and identify weaknesses in their systems. They said there is little hope of ever catching the hackers, and it could take months before the money is recovered, if at all.”
Additional Coverage
“Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network”
“The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.”
Experts in bank security said that the findings described by Alam were disturbing. “You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions”
“Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system”
“Bangladesh police said earlier this week they had identified 20 foreigners involved in the heist but they appear to be people who received some of the payments, rather than those who initially stole the money.”
“The SWIFT room is roughly 12 feet by 8 feet, a window-less office located on the eight floor of the bank’s annex building in Dhaka. There are four servers and four monitors in the room”
“The SWIFT facility should have been walled off from the rest of the network. That could have been done if the bank had used the more expensive, “managed” switches, which allow engineers to create separate networks, said Alam, whose institute includes a cyber-crime division.”
My kingdom for a vlan…
Last week, a second bank was hit
Additional Coverage
“The second case targeted a commercial bank, Swift spokeswoman Natasha de Teran said, without naming it. It was not immediately clear how much money, if any, was stolen in the second attack.”
Swift said in a statement that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.
“News of a second case comes as law enforcement authorities in Bangladesh and elsewhere investigate the February cyber theft from the Bangladesh central bank account at the New York Federal Reserve Bank. Swift has acknowledged that that scheme involved altering Swift software to hide evidence of fraudulent transfers, but that its core messaging system was not harmed.”
“In the second case SWIFT said attackers had also used a kind of malware called a “Trojan PDF reader” to manipulate PDF reports confirming the messages in order to hide their tracks.”
That sounds a lot more sophisticated than the first attack. Of course, it could just be that sophisticated attackers hit an unsophisticated bank, and so did not need to use such techniques, or that they just went undetected, because of the lax security at the first bank
SWIFT network issues security advisory about malware targetting banks
“In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.”

Cisco TALOS finds vulnerability in 7zip

“Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”
For example, a number of virus and malware scanners using the 7-Zip library to scan inside various archive formats
This means an attacker could send you a file, which would automatically be scanned by your virus scanner, which would trigger the exploit
The Talos article includes a link to a Google search for the 7-Zip license, which you can find embedded in a huge number of open and closed source applications
“An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.”
“Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the “PartitionRef” field from the Long Allocation Descriptor. Lack of checking whether the “PartitionRef” field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.”
“An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.”
“Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer “buf”. There is no check whether the size of the block is bigger than size of the buffer “buf”, which can result in a malformed block size which exceeds the mentioned “buf” size. This will cause a buffer overflow and subsequent heap corruption.”
“Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security. Talos has worked with 7-Zip to responsibly disclose, and then patch these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible.”
2016-03-03 – Vendor Notification
2016-05-10 – Public Disclosure

Two large middle eastern banks hit by hackers

“A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB’s customers.”
“Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers’ accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.”
“Multiple sources who have reviewed the data dump have also confirmed to ISMG that the data appears to be genuine. One researcher, speaking on condition of anonymity, also confirmed that he had successfully used leaked customer internet banking credentials from the data dump to begin logging in to the customer’s account, purely for research purposes. But he said the bank’s systems then sent a one-time password to the customer’s registered mobile number, which would serve as a defense against any criminals who might now attempt to use the leaked data to commit fraud.”
Additional Coverage: IBTimes
“Although analysis of the leaked data remains ongoing, there are reports that it contains additional, unusual information. U.K.-based digital media news site IBTimes, for example, reports that in addition to consumer data, the leaked information also includes documents with information on Qatar’s Al-Thani royal family as well as the broadcaster Al Jazeera, which is partly funded by the same family.”
“In addition, some leaked folders are marked “Spy” and contain what appear to be intelligence dossiers on individuals, according to IBTimes. Some files contained in the dump are labeled as “MI6” – in apparent reference to the British intelligence agency – with others naming Qatar’s state security bureau, known as the Mukhabarat, as well as French and Polish intelligence agencies, IBTimes reports.”
“Interestingly, there is also additional data about mainly foreign bank account holders, which includes information such as their Facebook and LinkedIn profiles, along with ‘friends’ associated through those social networks. This data doesn’t appear to have come directly from the bank itself, rather the perpetrator used the data held by the bank to then build up profiles of further targets.”
A second breach occurred at InvestBank, in the UAE
Additional Coverage
“A massive tranche of nearly 10GB of files alleged to be from Sharjah, UAE-based InvestBank appears to have been dumped online by the hacking group “Bozkurtlar” – Turkish for “Gray Wolves” – on May 7. The zip archive released by the attackers appears to contain internal files and sensitive financial documents, including InvestBank customers’ data.”
“The Bozkurtlar hacker or hacking group appears to have Turkish ties, and also claimed credit for a similar data dump on April 26, involving Doha-based Qatar National Bank. In that case, leaked customer data for QNB was quickly posted online by the Cryptome.org whistleblower site”
“The dumped data appears to include a massive amount of information tied to InvestBank’s systems, including SQL databases and some backup folders. Speaking on condition of anonymity, one expert who’s reviewed the data says it appears to date from 2011 to September 2015.”
“Customer data included in the leak includes copies of ID documents, photographs of individuals, documents relating to land purchases – such as stamp papers and financials, as well as bank statements and nearly 100,000 credit card numbers, including expiry dates in clear text. Security researchers, however, note that customer credentials such as account passwords and PINs appear to be encrypted.”
“The dump also contains comprehensive details on InvestBank’s IT setup, including clear-text credentials for its production systems, switches, routers, virtual machines and Windows servers – many of which appear to have been using easily guessable vendor default passwords. Screenshots of server settings and diagrams of server and data center layouts have also been found in the dump, in addition to details of VPN setups with the bank’s branch offices.”
“The dump also appears to contain complete details of InvestBank’s Oracle FLEXCUBE core banking solution implementation, including costs, deliverables, scope of work, licensing information and the entire database pertaining to InvestBank’s FLEXCUBE implementation.”
“In December 2015, a hacker broke into InvestBank’s systems and released records for thousands of customers, after the bank refused to pay the $3 million bitcoin ransom demanded by the attacker”
InvestBank claims this is not a new hack, but just the old data being fully released
It is possible the original attacker gave up on trying to ransom or sell the data, and just released it publicly