Ecuadorian Bank Hacked After 3rd Attack On SWIFT System

This week, we hear about an Ecuadorian Bank Hacked after 3rd Attack on SWIFT System and a New ‘TidePool’ Malware Family Discovered.

Breach

Ecuadorian Bank Hacked after 3rd Attack on SWIFT System

Ecuadorian bank, Banco del Austro (BDA), was breached in January 2015 and had almost $12 million stolen by attackers who were able to gain access to the SWIFT messaging system. By using advanced malware, the hackers were able to steal credentials of the bank’s employees and cover their tracks, making their fraudulent transactions seem legitimate. This attack is not the first of its type, as we are sure many people remember the recent heist of $81 million from Bangladesh’s central bank via the SWIFT system.

The Ecuadorian heist has remained a secret until now, even to the SWIFT team, since BDA recently filed a public lawsuit in a New York federal court against Wells Fargo bank for not spotting the fraudulent transactions. BDA is demanding that Wells Fargo return the full amount that was stolen, but Wells Fargo maintains that it “properly processed the wire instructions received via authenticated SWIFT messages.”

References: Ecuador Bank Hacker - $12 Million Stolen in 3rd Attack on SWIFT System | Third time unlucky for Swift as Ecuador bank hacked | Ecuador bank named as third potential victim of Bangladesh-style hackers

Mitigation Strategies:

  • Log management could detect any suspicious user account activity. 
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Anti-virus could detect file infection on the local host
  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code 

Malware

New ‘TidePool’ Malware Family Discovered

Researchers at Palo Alto Networks have uncovered a new malware family, which they have dubbed ‘TidePool’ that can read and write files on infected computers, run commands, and encode and exfiltrate data to a C&C server. It has currently targeted over 30 Indian embassies across the globe, attempting to trick employees into downloading the RAT (Remote Access Trojan) via spear-phishing emails. This activity alerted Palo Alto’s Unit42 research team to the similarities between ‘TidePool’ and the Ke3chang hacker group.

Ke3chang was first discovered in September 2013, when they targeted five European Ministries of Foreign Affairs just before the G20 Summit with spear-phishing campaigns related to the Syrian conflict. ‘TidePool’ has a lot of similarities to the BS2005 malware tied to the activities of the Ke3chang group, which was thought to no longer be active, but clearly has been working for the past two and a half years to develop new malicious code.

References: Ke3chang Is Back and It's Targeting Indian Embassies Around the Globe | China-Linked Ke3chang Resurfaces, Now Targeting Indian Embassies

Mitigation Strategies:

  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Netflow traffic may also reveal large data transfers and potential data leakage
  • Anti-virus would detect file infection on the local host
  • FIM solution would detect any type of file modification or addition

Top 20 IP Addresses

118.170.130.207 46.109.168.179
188.118.2.26 81.183.56.217
114.44.192.128 223.234.142.127
93.174.93.94 87.222.67.194
58.218.199.96 85.93.5.0/24
93.184.220.29 123.168.123.28
46.161.40.120 183.60.48.25
114.43.4.172 58.218.211.17
96.254.171.2 193.37.145.131
221.229.162.7 5.230.134.130

*IP addresses provided by Recorded Future.