은행 근무 시절에 가장 핫 했던 SWIFT 이슈 관련하여, 국내 OO 기관에서 SWIFT 위협과 보안 방안에 대해서 발표 요청이 있었고, 그 당시 발표했던 자료 컨텐츠 중에 방글라데시 중앙은행
사고 관련된 장표 일부를 첨부하였습니다. 방글라데시를 포함하여, 해외 주요 은행의 SWIFT 이슈가 발생하면서, SWIFT 시스템 및 외환거래 프로세스 전반적으로 보안 점검을 수행하면서, 시스템 및 업무에 대한 이해를 할 수 있었으나, 지금은 기억 속에서 지워져 버렸음…
2017년 2월초부터 폴란드 주요 은행이 water-hole 공격 기법에 의하여 악성코드에 감염된 확인되었다. 그런데 아이러니하게도 감염된 경로를 추적해보니, 폴란드 금융감독기관 홈페이지에 iframe으로 악성코드가 삽입된 것으로 확인이 되었다.
폴란드 주요 은행이 악성코드에 감염될 수 있었던 것은 신뢰할 수 있는 감독기관 홈페이지가 악성코드 경유지로 악용되면서 였을 것으로 보인다.
http://money.cnn.com/2016/12/02/technology/russia-central-bank-hack
2016.12.2, 러시아 중앙 은행은 위조된 고객 credential를 사용하여, 50억루블 해킹 시도가 있었으며, 50억루블 중 20억루블은 해커에 의해 유출된 것으로 발표.
– 유출된 고객 계좌는 correspondent bank acccount로 알려져 있음.
– 정확한 해킹 사고 경로에 대해서는 알려지지 않았으나, 유출 사고 발생하기 전에 러시아 은행 대상으로 디도스 공격이 수해외는 등의 사이버 테러 시도가 있었던 곳으로 알려져 있음
Hackers in 2016 stole 2 billion rubles — equivalent to $31 million — from accounts that banks keep at Russia’s central bank.
The Bank of Russia confirmed the cyberattacks and the extent of the losses to CNNMoney on Friday.
Hackers had tried to steal 5 billion rubles, but the central banking authority managed to stop them and redirect the funds, according to central bank security executive Artiom Sychev.
“We were lucky to return some of money,” said a central bank spokesperson.
The hackers targeted commercial banks, but they also stole cash from their clients, the central bank reported.
The central bank did not say when the cyberheists occurred, but said they took place over 2016. They also did not say how hackers moved the funds. But so far, the attack bears some similarity to a recent string of heists that has targeted the worldwide financial system.
russia ruble foreign reserves
In January 2015, hackers got a hold of an Ecuadorian bank’s codes for using SWIFT, the worldwide interbank communication network that settles transactions. They used Banco del Austro’s credentials to steal money the bank kept at Wells Fargo.
In October, hackers used the same technique to slip into a bank in the Philippines.
Two months later, hackers tried to make fraudulent requests at a commercial bank in Vietnam. They were stopped.
This past February, computer hackers stole $101 million from Bangladesh’s central bank — also by gaining access to SWIFT. That time, the bank robbers made five transfers out of Bangladesh Bank’s account at the Federal Reserve Bank of New York. The hackers tried to steal $951 million, but the Fed cut them off before the completion of the theft.
Researchers at the cybersecurity firm Symantec have concluded that the global banking system has been under sustained attack from a sophisticated group — dubbed “Lazarus” — that has been linked to North Korea.
But it’s unclear who has attacked Russian banks this time around.
Earlier Friday, the Russian government claimed it had foiled an attempt to erode public confidence in its financial system.
Russian’s top law enforcement agency, the FSB, said hackers were planning to use a collection of computer servers in the Netherlands to attack Russian banks. Typically, hackers use this kind of infrastructure to launch a “denial of service” attack, which disrupts websites and business operations by flooding a target with data.
The FSB said hackers also planned to spread fake news about Russian banks, sending mass text messages and publishing stories on social media questioning their financial stability and licenses to operate.
Editors note: This story has been updated to clarify that the losses cited from cyberattacks at Russia’s central bank were for 2016, not a single attack.
7월에 대만 제일상업은행에서 사용하는 Wincor PC1500 ATM기를 타겟팅한 신종 악성코드에 의해서 현금 인출사고 발생.
폐쇄망인 ATM에 악성코드를 설치하기 의해서 영국지점에 있는 voice recording server를 침투 한후, atm기기 소프트웨어 패치 솔루션을 이용하여 다 수의 ATM기기 감염 시킨 것으로 알려짐
감염된 ATM기는 윈도우 XP를 사용하고 있으며, 백신은 설치되어 있으나 화이트스트 기반의 프로그램 통제하는 솔루션은 미 설치로 알려 짐.
악성코드 파일명은 실제 ATM기에서 사용하는 프로그램과 동일 프로그램 이름을 사용.
기존 ATM기 현금유출사고는 대부분 인출카드 복제여서 일반 고객이 피해를 입은 반면에 이번은 일반고객피해는 없고 은행의 손실만 발생 함
아래 기사 참고
NEWS HOME
Taiwan arrests three foreigners in multi-million-dollar ATM cyberheist
MON JUL 18 18:06:13 EST 2016
Email Facebook Twitter WhatsApp
Taiwanese banknotes found in hotel of suspect in ATM heist
PHOTO Banknotes from the $3.4 million cyberheist were found in the hotel room of one of the three suspects arrested
REUTERS: TYRONE SIU
Taiwan has arrested three foreign suspects over a $3.4 million cyberheist which used malware to hack into a major local bank’s ATM network and steal bags of cash.Key points:
Criminals used malware to steal millions from 41 Taiwanese ATMs.
Three foreign suspects arrested over heist, but police say 13 others have fled country.
Police say half the stolen money has been recovered.
Major banks have frozen withdrawals from nearly 1,000 ATMS of the kind targeted.
The attack, the first of its kind in Taiwan, targeted the First Commercial Bank’s ATM network last week, using malware to withdraw more than $3.4 million from dozens of machines in three cities.A Latvian suspect, identified as Andrejs Peregudovs, was arrested by police in the north-eastern county of Yilan after being spotted by an off duty police officer from Taipei who was on holiday in the area.
Two other suspects from Romania and Moldova were arrested at a hotel in Taipei, police said, adding they believed the heist was carried out by a 16-member international crime ring.
“This is the first time that an international team of ATM thieves has committed a crime in Taiwan,” Lee Wen-chang, chief commander of the Criminal Investigation Division, told reporters.
Police have recovered more than half of the stolen money, but warned that 13 of the suspects — including five Russians — had already fled Taiwan after the heist.
“We will continue to search for the rest of the stolen money to let international hackers know that Taiwan is not a crime haven,” the statement said.
Police have sought assistance from both Interpol and Russia’s de facto embassy in Taiwan.
Surveillance images released by the bank showed masked robbers working in two-man teams targeting 41 ATMs belonging to the First Commercial Bank in three cities.
It is not clear how the thieves installed malware on the ATMs, but within five to 10 minutes, the thieves are seen walking away with bags full of stolen cash, the bank said.
Police say they may have used a mobile phone to target the ATMs, and investigators have identified three different malware programmes that were used to trigger withdrawals.
Since discovering the theft, Taiwan’s major state-run banks have frozen withdrawals from nearly 1,000 ATMs of the kind targeted in the heist, which are supplied by Germany’s Wincor Nixdorf.
In May, a gang stole $13 million from Japanese ATMs in a three-hour spree.
ABC/Wires
올해 금융산업 분야의 핫 이슈가 된, 방글라데시 중앙은행 외화 유출 사고 관련하여, SWIFT 비즈니스 로직 반영된 악성코드 뿐만 아니라, 전반적인 공격이 이루어진 시점이 설 연휴인점, 그리고 돈세탁 방식으로 필리핀 카지노를 선택한 배경 등에 있어서, 기술 뿐만 아니라 사회공학적인 방법까지 동원된 공격으로 보입니다.
특히, 필리핀 카지노를 이용한 자금 세탁은 필리핀에서 카지노산업에는 자금세탁 대상에서 제외되어 있다는 것을 이용한 것으로 보입니다.
The Philippine Amusement and Gaming Corp., or Pagcor, which is both the industry regulator and a casino operator, succeeded in exempting casinos from new anti-money-laundering regulations when they were introduced in 2013. That means large amounts of untraceable cash can wash through without casino operators having to identify its source or report it to financial regulators—something which simplifies business at the casinos, but also opens the door to money launderers.
source: http://www.wsj.com/articles/philippine-casino-rules-offer-clean-getaway-for-dirty-money-1464524558?mod=Evernote_wsj
The law, which was first introduced in 2001, left casinos out of the list of entities required to report suspicious transactions to the AMLC. There were efforts in the Senate to include this provision in the amended AMLA in 2013, but this was blocked by some lawmakers, and PAGCOR. (READ: Casinos exempt from tougher anti-money laundering law)
source:http://www.rappler.com/business/features/125741-bangladesh-bank-philippine-banking-system
종종 코드서명 인증서가 유출되어, 유출된 인증서로 코드서명된 악성코드가 이슈가 되었는데요. 그럴 때마다, 해당 악성코드에서 사용하는 C2 IP , 백신업데이트, 및 패턴등에 대해서만 관심을 갖다가, 최근에 인증서 유효기간이 경과되었지만, 정상적으로 구동되는 프로그램에 대해서 의아하게 생각이되어, 관련하여 여러 사람들에게 조언을 구하고, 관련 인터넷 등에서 조회를 하여, 그 이유를 알게 되었습니다. 그 동안 별 생각 없이 지나쳤던 인증서의 타임스탬프가 중요한 KEY 역할을 하고 있었네요…
여러 인터넷 관련 글 중에서, Comodo 사이트에서 제공하는 아래 글이 간단하면서 명료하게 되어 있어서, 정리하는 차원에서 글 포스팅 하게 되었습니다.
Is timestamped code valid after a Code Signing Certificate expires?
Timestamping ensures that code will not expire when certificate expires. If your code is timestamped the digital signature is valid even though the certificate has expired. A new certificate is only necessary if you want to sign additional code. If you did not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.
How long can I use my code signing certificate?
Code signing certificates are valid for between one to three years depending on your purchase choice. Providing you take advantage of the time-stamping option, all code that you signed before certificate expiry will continue to be trusted even after the certificate has expired. However, if you want to sign new software after expiry, then you will need to renew your certificate
Time-stamp Authority – CAs which issue EV Code Signing certificates must also provide a time-stamp authority (TSA) which meets RFC 3161. The TSA will allow the publisher to time-stamp the signatures of their code. The time-stamp can be used to support the longevity of the code in the event that the EV Code Signing certificate is revoked after signature.
KKOMAK BLOG 