CyberWire Daily - Taiwan Bank Heist and Lazurus Group with BAE's Adrian Nish. [Research Saturday]
Episode Date: November 11, 2017Dr. Adrian Nish is head of cyber threat intelligence at BAE Systems. His team has been tracking a new cyber-enabled bank heist in Asia. Some of the tools used are reminiscent of the Bangladesh Bank at...tack from February 2016. The full report can be found here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So Bangladesh Bank was a watershed moment for the financial industry.
That's Dr. Adrian Nish, head of cyber threat intelligence at BAE Systems.
His team has been tracking a new cyber-enabled bank heist in Asia.
Some of the tools used are reminiscent of the Bangladesh bank attack from February 2016.
intrusion both into the bank and then into their payment system. And rather than a classical APT case of stealing information, this was all about stealing money. So the attackers, when they were
on the payment system, attempted to transfer about $950 million from Bangladesh Bank's account
in the Federal Reserve in New York to accounts in Sri Lanka and the Philippines.
Not all of that was successful. They got about 81 million US dollars. But the other interesting
thing was they deployed quite sophisticated malware to cover their tracks, so basically
tampering with the local Swift server that the bank were using in order to delete the evidence efficiently and basically
cover up their tracks. And this was the first time we or others in the community had seen
anything like this deployed. And it was, I guess, a forewarning for what was to come in the month
going forward from that. And this was attributed to the Lazarus Group. What can you tell us about them? The name Lazarus is one that came from a white paper that was released last year, which detailed
this threat actor that's been in operation probably about a decade. And they've got a
long history of attacks against South Korea, but also some high-profile cases, such as the Sony
Pictures attack in 2014.
Sony Pictures were, of course, producing a movie in 2014,
depicted the assassination of a North Korean leader,
and this group got into Sony Pictures' network,
destroyed a large number of machines across their network and released sensitive emails in order to embarrass their executives.
The group has since been linked to attacks on, for example, media companies in the UK,
plus, of course, the string of bank intrusions and cyber heist activity.
We don't have any smoking gun evidence about who's behind it,
but the links back to North Korea are certainly significant.
And so when did this new attack first come on your radar?
We heard about this, I believe it was the 6th of October.
So just a few days after the attack happened,
initial reports came out in local media in Taiwan
about a bank having suffered a heist
and also then ransomware being deployed on the bank's network.
And I guess over the days after that, it became a bit more clear that, again,
this had involved an attack on the local SWIFT system within SEIB, the bank in Taiwan,
EIB, the bank in Taiwan, and the ransomware component have actually been just a cover-up or a distraction for that attack against the SWIFT system.
So take us through step by step. What did you all discover here?
Well, like in the case of Bangladesh, we weren't actually hired to do the investigation. How we got the evidence was through samples of malware that had been uploaded to malware repositories,
so virustotal.com.
So somebody in Taiwan doing the investigation uploaded these to check if they get detected by antivirus.
And once they're uploaded, they're available for researchers.
So we had some filters and did some searches.
We were able to identify this malware that had been uploaded,
linked it back to Taiwan,
and pulled it apart to understand exactly what had gone on.
So describe for us what are some of the bits of malware that you found.
So there's kind of two main components.
There's this ransomware component that I mentioned earlier.
And it isn't very interesting.
It's very typical sort of ransomware.
And we're still not sure if it's something the attackers have coded or perhaps they've purchased it online.
And basically, they hard-coded the credentials, administrative credentials for the bank's network into the malware
and used it to spread across the network.
And we think it's just a smokescreen.
So after they've done the bank heist, they send this malware across the network,
creates a lot of noise, distracts the local security team,
and gives the attackers more time to get away with the
money laundering aspect of the heist. And then the second component are what link it back to
this Lazarus threat group. So these were remote access tools, which we'd seen in other activity
in cases we'd investigated last year, and indeed a case this year in Poland,
which we were also able to link back to the Lazarus Group.
Probably just used for remote access, but almost certainly part of this bank heist. So can you describe to us what did these files contain?
So the ransomware component basically has a dropper,
so this is what's used to load the ransomware and also helps it to spread
across the network, so it's got the hard-coded credentials.
The ransomware itself will pop up a message demanding payment in Bitcoin, very similar
to other ransomwares that we've investigated.
The interesting thing with the remote access tool that we investigated is that it actually contains commands that are written in Russian language.
And we think that's a false flag by the attackers, so there's no good reason to use these particular words.
They put them in probably to try and mislead researchers.
We're pretty confident, though, that the code links back to the Lazarus threat group.
And so in terms of being able to get in and infiltrate the SWIFT system,
what was going on there?
There's not a lot in the public domain about exactly what happened,
and it may be that more information comes to light as the investigation unfolds.
But what we'd assume is something similar to what happened in Bangladesh,
which is that the attackers would have had administrator-level credentials,
and we know that they did.
We can see that in the ransomware.
And with these admin credentials, they can move on to the Swift server,
assuming there's no segregation in the network,
so they can use those credentials to access the environment.
And then in Bangladesh, what they did was they actually subverted
some of the payment systems.
So rather than just using the legitimate functionality that's there,
they used those administrative credentials to actually modify parts
of the software that's running, use this to subvert it, send the
payments, cover up the evidence of what happened.
This group is also pretty efficient at deleting evidence after themselves.
So they'll often use cleanup tools to hamper the forensic investigation.
So wiping out some of their previous malware, some of their log files,
deleting event logs, all this sort of stuff. And have they been successful in getting away
with the cash? It doesn't seem so. The bank, to their credit, they must have realized that the
ransomware was a smokescreen and that the cyber heist was, in fact, the real attack. We don't know exactly what happened,
but we would imagine they got in touch with the beneficiary banks
where the money had been sent to
and had the money frozen before anybody was able to move it.
Interestingly, there are reports in the public domain
of an individual in Sri Lanka who was arrested
attempting to cash out some of the money.
Now, we don't believe that this is necessarily one of the kingpins behind the attack.
It's possible that this individual was being manipulated by the real attackers,
a so-called money mule or intermediary to move the money.
So what are your recommendations to help
people protect against this sort of thing? So lots of usual security hardening
recommendations, such as controlling admin access, segregating networks, plus some kind of longer
term recommendations around pen testing, using the techniques that these attackers are known to deploy,
and also looking at SWIFT's customer security program.
So they're a 27 controls program, which all banks who are using SWIFT systems
will have to attest to by the end of the year.
The recommendations are based off of real attacks that have been investigated and the findings are very useful advice for organizations that need to harden their environments now.
I was interested, one of the bits of malware that you analyzed contained a polyglot file.
Can you describe to us what that is and how that worked?
Yeah, so the attackers in the ransomware component, they have this
two-stage, so a dropper or spreader, which is used to spread the malware around the network,
and that uses the hard-coded admin credentials. And then it loads the payload, and the payload
they've obfuscated within a bitmap image. So again, it's probably unnecessary to do it.
The malware author may believe this makes analysis more difficult,
and that's probably true in the case of automated analysis systems,
but a skilled malware analyst would easily be able to spot
that this wasn't a legitimate bitmap,
and they can pull the payload out of the file from there.
In terms of the sophistication of this group, what's your estimation?
How sophisticated are they?
Yeah, this is always a difficult point to rate attackers on sophistication.
I would say they've got strengths and weaknesses.
Certainly some of their strengths are how they clean up the evidence after themselves. hackers on sophistication. I would say they've got strengths and weaknesses. Certainly,
some of their strengths are how they clean up the evidence after themselves. They seem to put a lot
of effort into deleting both their own malware from the system, any logs, any output, plus any,
like I said, event logs or other artifacts from disk. However, they don't use zero-day exploits.
artifacts from DISC. However, they don't use zero-day exploits. They don't use rootkit malware.
There are elements of their attack that are quite clever and make it difficult to investigate. There are other aspects that are more basic by comparison to
maybe high-end nation-state actors.
Our thanks to Dr. Adrian Nish for joining us. You can find the complete report about the Taiwan heist and the Lazarus tools and ransomware on the BAE Systems Threat Research blog.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.