Hackers Crashed a Bank's Computers While Attempting a SWIFT Hack

An anonymous reader writes: Hackers have used a disk-wiping malware to sabotage hundreds of computers at a bank in Chile to distract staff while they were attempting to steal money via the bank's SWIFT money transferring system. The attempted hack took place at the end of May when hackers wiped the HDD MBR of over 9,000 computers and over 500 servers. Fortunately the hackers failed to steal money from the bank (an estimated $11 million). This is the same hacker group who failed last month when they tried to steal over $110 million from a Mexico bank. Further reading: Ripple and SWIFT slug it out over cross-border payments.

Re:TRUMP

and he bares to profit from it. Sad.

I don't care how well he pole-dances, I wouldn't put a single dollar bill in Trump's g-string.

Steal?

[AlanObject]

They may have not gotten the $11M for themselves but if they really crashed out 9,000 desktops and 500 servers I would bet the overall damage is actually much more than $11M.

Re:Steal?

[iggymanz]

no, restoring those systems won't cost that machine unless its IT dept were total idiots.

Re:Steal?

[execthts]

Or if the management above IT is an idiot.

Re:Steal?

[darkain]

If it was truly only the MBR that was wiped, it wouldn't take THAT much to restore. You could easily create a bootable CD/USB drive with a small script to write out the first sector of the only attached HDD. Considering the quantity of machines, odds are they're mostly the same and had a standard drive image applied to all of them. The MBR is just a basic list of drive/partition geometry information, which is most likely the same across a vast majority of machines in the corporate world like this.

Re:Steal?

[CaptainDork]

I don't know why this is modded down, because it's correct.

Like many here, I worked in IT. I'm retired.

During my career, I made best practice recommendations that were obvious to the most casual observer.

However, the business side did (faulty) risk assessment and declined to budget for security and clever backup systems.

While I seldom had to rely on backup, we were hacked several times because, for example, the fucking owner fell for, "Your UPS package isn't going anywhere until you click on this link," and he's the asshole who signed our exclusive agreement with FedEx!

5 weeks after I retired, the entire firm was hit with ransomware. It got the desktops and servers. The poor bastards who took my place were not scared shitless about backups as I was, so it was a very costly event.

And can you believe this? They now have ransomware insurance.

I used to sweat it but now I just get my popcorn.

Re:Steal?

True, but considering the system was hit with malware I'd be included to restore from backups anyway, scan them and patch the machines before putting them back into service. It's a bank after all. Need to be careful.

Re:Steal?

[admin7087]

Since I'm working on certain aspects of risk assessment and multi-attribute decision making under risk, could you briefly elaborate what they did and in which way their assessment was faulty? Just a rough description?

Re:Steal?

[Khyber]

Crash != making the systems 100% unusable.

If the IT dept had half a brain, they'd have had a fully-homogenous hardware set for their desktops, and one for their servers, and thus there would only be two system images they'd need to deploy, reconfigure, and bring back online.

But then again, this is the financial industry we're talking about. IT Department with brains? Only if they have yet to be hamstrung by management.

Re:Steal?

[K.+S.+Kyosuke]

unless its IT dept were total idiots

There's your problem. We already know that they are.

Re:Steal?

The damage includes lost reputation, lost future business, etc. It doesn't really matter what it costs to have the IT work done. Lost business opportunity is where the costs lie. Even an IT person should know that.

Re:Steal?

I assume they are mostly Windows systems. Easier to fix than what you are thinking. Just a USB key with a current distribution of WinPE or the setup media. Run bootrec /fixmbr (you may need some of the other parameters too) and you are done.

Re:Steal?

[Bert64]

Surely the insurers will insist that they take reasonable steps to prevent malware infection, or else significantly hike their premiums? The insurers should be backing up what you were saying about keeping backups etc.

Re:Steal?

[Bert64]

Often the people doing the risk assessment don't fully understand the technology in place, and thus make faulty assumptions about its capabilities and the risks thereof.

Re:Steal?

[CaptainDork]

... in which way their assessment was faulty? Just a rough description?

Sure. They didn't accept many of my recommendations, and I was the expert.

Re:Steal?

[CaptainDork]

Oh, they understood.

I gave lectures and all that stuff, just as IT has always done.

They were cheap and entitled.

After a particularly bad phishing attack, management pulled me in and asked me why our system wasn't hardened against such stuff.

I told them a manager overrode the system by providing permission (email promised to deliver nude photos of Anna Kournikova) for the malware to hit (it spammed and caused us to be blacklisted everywhere).

Appreciate that I really enjoyed my work and the people there.

"Staff," never once caused any problems.

Management would click on any goddam thing.

Re:Steal?

[CaptainDork]

I don't know how it works and I didn't ask.

I found out about the ransomware from a friend at the company that replaced me and I was curious about what steps were being taken.

"Ransomware insurance," was the answer I got from the technician, who found it to be ludicrous.

He had recommended what I had always done:

Local backup to EHD, rotating them out every morning and shipping them off site.

Instead, the backup drives stayed connected and got hit with the ransomware, as well.

It was an expensive scandal.

Re:Steal?

Yeah, sure. *Assume* that the only thing that happened was an MBR wipe. There's no way a group of hackers could plant malware for further infection, right? With recent hardware, I'd be wary of malware remaining _after_ HD wipe (yes, there are hiding places in the PC which survive that).

Re:Steal?

[DarthVain]

Yeah I liken it to someone who smashes your car window to get at the change left in your car where 300$ worth of damage was done to steal the 5$ that is in there. Either way you're out the money. In terms of an analogy, I know people who just leave their cars unlocked without valuables to avoid this, banks I'd imagine lack this countermeasure...

Safe Hackers

They'll be hacking open safes next.

If you're confused about the meaning of words in libtard America, google deek jackson's youtube video on the subject.

Re:Safe Hackers

What a perfectly formatted statement containing its own rebuttal, sort of like a 5 year exclaiming how the earth is sooo much bigger than the sun, just look!

Pathetic.

[Gravis+Zero]

If they were real hackers then they wouldn't have wiped the drive MBRs but merely replaced the HDD/SSD firmwares with hacked ones that gave them a nearly undetectable backdoor to the bank. Seriously, if you are going to steal millions then you should at least make an effort to do it properly. -_-

Re:Pathetic.

[sheramil]

I'm not sure they qualify as "hackers" - I understand one quality of a hacker is the ability to get in and out without being detected. Perhaps we need a name for ridiculously inept cybercriminals; Boofheads, for example.

Re:Pathetic.

I'm not sure they qualify as "hackers" - I understand one quality of a hacker is the ability to get in and out without being detected. Perhaps we need a name for ridiculously inept cybercriminals; Boofheads, for example.

Prior art on that one , they're called "Script Kiddies"

Re:Pathetic.

Doing that wouldn't create the distraction they were trying for.

Just one cotton picken moment...

[beheaderaswp]

Wouldn't crashing that many systems make the IT department turn everything off?

If I was the head of that department I'd close down for a week or two to see what damage had been done beyond what was immediately detected. Then put together a comprehensive report for the board- just in time to be walked out.

Seems to be to only be a diversion if the whole department was asleep.

Re:Just one cotton picken moment...

Or if they are undemanned, under-equipped, under-funded, under-trained, etc. This fits with every IT job I've had. In other words: undermined by management who sees IT as a cost not an asset.

Re:Just one cotton picken moment...

A bank does not really have the option of shutting down for 2 weeks. People and businesses needs access to their money. A bank that shut down for 2 weeks would be out of business.

Re:Just one cotton picken moment...

True. I worked on core payment processing software for a large bank in the 90s. They had an out of state disaster recovery site and did the entire process twice per year. It took 1-2 days to completely verify everything.

The VP in charge once told me âoeif we canâ(TM)t get everything back up in 72 hours we may as well just quit because weâ(TM)re out of businessâ.

I did consulting for a major bank in another country a few years ago. They had two identical data centers in different parts of the country and swapped the work between them every quarter. They could do the process in a weekend day. They had disk arrays in each site which continually updated each other over dedicated lines via journaling.

Banks are toast if their core software is down for a week.

What 9000?

Nappa: Hey Vegeta, what's the scouter say about their dataloss?

Vegeta: IT'S OVER 9000!!!!

Nappa: What 9000? There's no way...

Ripple?

[JaredOfEuropa]

I wonder why banks would rely on a crypto currency like Ripple, of which 60% is held by the company and a further 20% is held by the founders. I know why they use it today in some cases: to experiment with the tech in a nimble manner, by not having to rely on their own bloated, creaking mess of legacy systems held together with spit and bailing wire. But you don't need a "coin" to settle stuff over a block chain, you can just record everything in dollars.

Re:Ripple?

Most people, especially enterprise architect types, think that block chain means crypto currency. I

Re:Ripple?

[TubeSteak]

I wonder why banks would rely on a crypto currency like Ripple, of which 60% is held by the company and a further 20% is held by the founders.

The value of [coin] is completely arbitrary and doesn't matter.

If SWIFT wants to grab a million Bitcoin and declare that only those million Bitcoins will be part of their network, then who cares what "the market" thinks Bitcoin is worth? "The market" will treat those coins as if they're dead. Meanwhile SWIFT says 1 Satoshi = 1 US Dollar, making a SWIFTBitcoin worth 100 million USD and they're off to the races.

Except for the small problem that Bitcoin's throughput sucks, which is why various alternatives like Ripple have popped up. Ripple 'only' divides into 1 million drops, but the end result is still a finely grained transaction ledger.

Once you take away all the arbitrage pump and dump stock market hodling bullshit, it's easy enough to see why you might rely on a company like Ripple. All that matters is for the platform to be fast, stable, and have at least four nines of uptime.

Well, you know what they say...

[Entrope]

Thank goodness for stupid criminals.

All the stupid administrators in the world would really be up the creek without a paddle if many criminals were smart.

Storage drives need a read-only switch

[Solandri]

I've been saying this for over a decade: Put a physical read-only switch on storage drives (and motherboard BIOSes). Then design OSes to boot off a read-only device, with things that need to be written (like logfiles) going to a different drive. Same for programs - the OS should only allow programs on the boot device to run. Double-clicking an executable on another drive should pop up an error (unless the read-only switch of the boot device is off).

Then, once you have the computer set up as you want it with the OS and and desired programs running, you can flip the switch and lock down the system. Anyone who uses the computer, whether remotely or locally cannot change the OS or programs without first physically opening it up to flip the switch. A hack might open up a crack to let a hacker's foot in the door, but they cannot then leverage it to root the entire system. If they got in via a memory overrun exploit, then all the modifications they try to make to the system have to be done through that memory overrun exploit. Malware might be able to take hold, but it cannot write itself to automatically start next time the computer reboots. Malware wouldn't be able to cause computers to fail to boot. In fact a reboot would clear out any such malware, though it might still be attached to a data file if a program is vulnerable to it when the data file is read. (Ransomware wouldn't change since it already leaves the OS and program files alone - it just wouldn't be able to set itself to load and run every time the computer boots - it would need to finish encrypting your data before you rebooted your computer.)

Yes it would make updates a pain. But the need for regular updates would be substantially diminished since it'd be much harder for malware to exploit a known vulnerability. You could make updates a once a month or once every few months thing, instead of needing daily updates like we do today. And the need to shutdown the computer before you opened it up to flip the read-only switch would clear out any malware laying in wait for update day. You'd just have to make sure the update was the first (and only) thing you ran when you turned the computer back on.

Re: Storage drives need a read-only switch

Well you could build a SATA firewall.

Re:Storage drives need a read-only switch

Read-only SSDs already exist (by using GPT attributes. Windows doesn't know how to clear that). You could reimage for updates. If you must have physical protection, boot from DVD or network boot is always possible.

Re:Storage drives need a read-only switch

[phantomfive]

I used to think you were right, but with the IoT, there are a lot of devices that do reset when they reboot, cleaning out any viruses that have infected. It turns out it doesn't matter, viruses like Mirai just re-infect the system after a reboot.

In addition, UEFI is so big and poorly thought out that persistence becomes possible, even below the OS level.

The ultimate point is that these companies don't care about security. Your idea would improve security, but it will never be implemented by companies who leave telnet open with admin/admin login. It will never be implemented by Intel, who doesn't even have decent code review on their UEFI code. Maybe most importantly, customers are happy to buy devices that have an open telnet port.

Seriously, we've known not to use telnet for over two decades, and we've known to use good passwords for at least four decades. No one cares.

Re:Storage drives need a read-only switch

[phantomfive]

btw, I should add that Kaspersky OS comes close to what you describe, in addition it only allows white-listed software to be run.

Re:Storage drives need a read-only switch

once you have the computer set up as you want it with the OS and and desired programs running, you can flip the switch and lock down the system. Anyone who uses the computer, whether remotely or locally cannot change the OS or programs without first physically opening it up to flip the switch.

Have fun deploying a critical patch to 2000 machines by having someone physically go to each one to flip the switch, and *then* flip it back after confirming the patch was installed.

Any machine that failed to get the patch now became vulnerable to known exploits.

Oh, and do that every month. Plus a few urgent off-cycle patches a year due to new zero-day found.

After going through that for a few years, any sane person would conclude that having such a switch actually creates more risk. Not to mention at an extremely high cost.

Re:Storage drives need a read-only switch

[llamalad]

I seem to recall that floppy disks used to have write protect capabilities.

As did USB flash drives.

And a bunch of work has been done on the idea about OSes running read-only. Search the web for "immutable infrastructure."

Re:Storage drives need a read-only switch

Something like Faronics Deep Freeze?

Why mess with the member?

[filesiteguy]

I am so glad my hard drive doesn't have a member.

I prefer using 5.25" floppies anyway.

You understand wrong

"Hackers" has long lost all meaning. Just read the bleeping news, it's all shouty and no content. You look at a computer funny and you're a "hacker". It's that hard, it's that deep. It means the journo (and non-editing editor, and all the rest) is a bleepin' idjit.

any story containing the words "over 9000"

[weedjams]

is likely BS.

Re:any story containing the words "over 9000"

Get the hell out of here. And take your common sense with you.

They DID steal $10m

[Bruce66423]

According to the update at the end of the article linked to in the OP, the hackers got away with the money. The article links to two Spanish language reports supporting this claim. Can someone check the Spanish and confirm please?

https://www.publimetro.cl/cl/n...