Hackers Crashed a Bank's Computers While Attempting a SWIFT Hack

An anonymous reader writes: Hackers have used a disk-wiping malware to sabotage hundreds of computers at a bank in Chile to distract staff while they were attempting to steal money via the bank's SWIFT money transferring system. The attempted hack took place at the end of May when hackers wiped the HDD MBR of over 9,000 computers and over 500 servers. Fortunately the hackers failed to steal money from the bank (an estimated $11 million). This is the same hacker group who failed last month when they tried to steal over $110 million from a Mexico bank. Further reading: Ripple and SWIFT slug it out over cross-border payments.

Steal?

[AlanObject]

They may have not gotten the $11M for themselves but if they really crashed out 9,000 desktops and 500 servers I would bet the overall damage is actually much more than $11M.

Re:Steal?

[darkain]

If it was truly only the MBR that was wiped, it wouldn't take THAT much to restore. You could easily create a bootable CD/USB drive with a small script to write out the first sector of the only attached HDD. Considering the quantity of machines, odds are they're mostly the same and had a standard drive image applied to all of them. The MBR is just a basic list of drive/partition geometry information, which is most likely the same across a vast majority of machines in the corporate world like this.

Re:Steal?

[CaptainDork]

I don't know why this is modded down, because it's correct.

Like many here, I worked in IT. I'm retired.

During my career, I made best practice recommendations that were obvious to the most casual observer.

However, the business side did (faulty) risk assessment and declined to budget for security and clever backup systems.

While I seldom had to rely on backup, we were hacked several times because, for example, the fucking owner fell for, "Your UPS package isn't going anywhere until you click on this link," and he's the asshole who signed our exclusive agreement with FedEx!

5 weeks after I retired, the entire firm was hit with ransomware. It got the desktops and servers. The poor bastards who took my place were not scared shitless about backups as I was, so it was a very costly event.

And can you believe this? They now have ransomware insurance.

I used to sweat it but now I just get my popcorn.

Pathetic.

[Gravis+Zero]

If they were real hackers then they wouldn't have wiped the drive MBRs but merely replaced the HDD/SSD firmwares with hacked ones that gave them a nearly undetectable backdoor to the bank. Seriously, if you are going to steal millions then you should at least make an effort to do it properly. -_-

Ripple?

[JaredOfEuropa]

I wonder why banks would rely on a crypto currency like Ripple, of which 60% is held by the company and a further 20% is held by the founders. I know why they use it today in some cases: to experiment with the tech in a nimble manner, by not having to rely on their own bloated, creaking mess of legacy systems held together with spit and bailing wire. But you don't need a "coin" to settle stuff over a block chain, you can just record everything in dollars.

Storage drives need a read-only switch

[Solandri]

I've been saying this for over a decade: Put a physical read-only switch on storage drives (and motherboard BIOSes). Then design OSes to boot off a read-only device, with things that need to be written (like logfiles) going to a different drive. Same for programs - the OS should only allow programs on the boot device to run. Double-clicking an executable on another drive should pop up an error (unless the read-only switch of the boot device is off).

Then, once you have the computer set up as you want it with the OS and and desired programs running, you can flip the switch and lock down the system. Anyone who uses the computer, whether remotely or locally cannot change the OS or programs without first physically opening it up to flip the switch. A hack might open up a crack to let a hacker's foot in the door, but they cannot then leverage it to root the entire system. If they got in via a memory overrun exploit, then all the modifications they try to make to the system have to be done through that memory overrun exploit. Malware might be able to take hold, but it cannot write itself to automatically start next time the computer reboots. Malware wouldn't be able to cause computers to fail to boot. In fact a reboot would clear out any such malware, though it might still be attached to a data file if a program is vulnerable to it when the data file is read. (Ransomware wouldn't change since it already leaves the OS and program files alone - it just wouldn't be able to set itself to load and run every time the computer boots - it would need to finish encrypting your data before you rebooted your computer.)

Yes it would make updates a pain. But the need for regular updates would be substantially diminished since it'd be much harder for malware to exploit a known vulnerability. You could make updates a once a month or once every few months thing, instead of needing daily updates like we do today. And the need to shutdown the computer before you opened it up to flip the read-only switch would clear out any malware laying in wait for update day. You'd just have to make sure the update was the first (and only) thing you ran when you turned the computer back on.

They DID steal $10m

[Bruce66423]

According to the update at the end of the article linked to in the OP, the hackers got away with the money. The article links to two Spanish language reports supporting this claim. Can someone check the Spanish and confirm please?

https://www.publimetro.cl/cl/n...