Hackers Crashed a Bank's Computers While Attempting a SWIFT Hack

An anonymous reader writes: Hackers have used a disk-wiping malware to sabotage hundreds of computers at a bank in Chile to distract staff while they were attempting to steal money via the bank's SWIFT money transferring system. The attempted hack took place at the end of May when hackers wiped the HDD MBR of over 9,000 computers and over 500 servers. Fortunately the hackers failed to steal money from the bank (an estimated $11 million). This is the same hacker group who failed last month when they tried to steal over $110 million from a Mexico bank. Further reading: Ripple and SWIFT slug it out over cross-border payments.

Re:

[Anonymous Coward]

and he bares to profit from it. Sad.

I don't care how well he pole-dances, I wouldn't put a single dollar bill in Trump's g-string.

Steal?

[AlanObject]

They may have not gotten the $11M for themselves but if they really crashed out 9,000 desktops and 500 servers I would bet the overall damage is actually much more than $11M.

Re:

[iggymanz]

no, restoring those systems won't cost that machine unless its IT dept were total idiots.

Re:

[execthts]

Or if the management above IT is an idiot.

Re:Steal?

[CaptainDork]

I don't know why this is modded down, because it's correct.

Like many here, I worked in IT. I'm retired.

During my career, I made best practice recommendations that were obvious to the most casual observer.

However, the business side did (faulty) risk assessment and declined to budget for security and clever backup systems.

While I seldom had to rely on backup, we were hacked several times because, for example, the fucking owner fell for, "Your UPS package isn't going anywhere until you click on this link," and he's the asshole who signed our exclusive agreement with FedEx!

5 weeks after I retired, the entire firm was hit with ransomware. It got the desktops and servers. The poor bastards who took my place were not scared shitless about backups as I was, so it was a very costly event.

And can you believe this? They now have ransomware insurance.

I used to sweat it but now I just get my popcorn.

Re:

[Unknown User]

Since I'm working on certain aspects of risk assessment and multi-attribute decision making under risk, could you briefly elaborate what they did and in which way their assessment was faulty? Just a rough description?

Re:

[Bert64]

Often the people doing the risk assessment don't fully understand the technology in place, and thus make faulty assumptions about its capabilities and the risks thereof.

Re:

[CaptainDork]

Oh, they understood.

I gave lectures and all that stuff, just as IT has always done.

They were cheap and entitled.

After a particularly bad phishing attack, management pulled me in and asked me why our system wasn't hardened against such stuff.

I told them a manager overrode the system by providing permission (email promised to deliver nude photos of Anna Kournikova) for the malware to hit (it spammed and caused us to be blacklisted everywhere).

Appreciate that I really enjoyed my work and the people there.

"Staf

Re:

[CaptainDork]

... in which way their assessment was faulty? Just a rough description?

Sure. They didn't accept many of my recommendations, and I was the expert.

Re:

[Bert64]

Surely the insurers will insist that they take reasonable steps to prevent malware infection, or else significantly hike their premiums? The insurers should be backing up what you were saying about keeping backups etc.

Re:

[CaptainDork]

I don't know how it works and I didn't ask.

I found out about the ransomware from a friend at the company that replaced me and I was curious about what steps were being taken.

"Ransomware insurance," was the answer I got from the technician, who found it to be ludicrous.

He had recommended what I had always done:

Local backup to EHD, rotating them out every morning and shipping them off site.

Instead, the backup drives stayed connected and got hit with the ransomware, as well.

It was an expensive scandal.

Re:

[K. S. Kyosuke]

unless its IT dept were total idiots

There's your problem. We already know that they are.

Re:

[darkain]

If it was truly only the MBR that was wiped, it wouldn't take THAT much to restore. You could easily create a bootable CD/USB drive with a small script to write out the first sector of the only attached HDD. Considering the quantity of machines, odds are they're mostly the same and had a standard drive image applied to all of them. The MBR is just a basic list of drive/partition geometry information, which is most likely the same across a vast majority of machines in the corporate world like this.

Re:

[Anonymous Coward]

True, but considering the system was hit with malware I'd be included to restore from backups anyway, scan them and patch the machines before putting them back into service. It's a bank after all. Need to be careful.

Re:

[Khyber]

Crash != making the systems 100% unusable.

If the IT dept had half a brain, they'd have had a fully-homogenous hardware set for their desktops, and one for their servers, and thus there would only be two system images they'd need to deploy, reconfigure, and bring back online.

But then again, this is the financial industry we're talking about. IT Department with brains? Only if they have yet to be hamstrung by management.

Re:

[DarthVain]

Yeah I liken it to someone who smashes your car window to get at the change left in your car where 300$ worth of damage was done to steal the 5$ that is in there. Either way you're out the money. In terms of an analogy, I know people who just leave their cars unlocked without valuables to avoid this, banks I'd imagine lack this countermeasure...

Pathetic.

[Gravis Zero]

If they were real hackers then they wouldn't have wiped the drive MBRs but merely replaced the HDD/SSD firmwares with hacked ones that gave them a nearly undetectable backdoor to the bank. Seriously, if you are going to steal millions then you should at least make an effort to do it properly. -_-

Re:

[sheramil]

I'm not sure they qualify as "hackers" - I understand one quality of a hacker is the ability to get in and out without being detected. Perhaps we need a name for ridiculously inept cybercriminals; Boofheads, for example.

Re:

[Anonymous Coward]

I'm not sure they qualify as "hackers" - I understand one quality of a hacker is the ability to get in and out without being detected. Perhaps we need a name for ridiculously inept cybercriminals; Boofheads, for example.

Prior art on that one , they're called "Script Kiddies"

Just one cotton picken moment...

[beheaderaswp]

Wouldn't crashing that many systems make the IT department turn everything off?

If I was the head of that department I'd close down for a week or two to see what damage had been done beyond what was immediately detected. Then put together a comprehensive report for the board- just in time to be walked out.

Seems to be to only be a diversion if the whole department was asleep.

Re:

[Anonymous Coward]

A bank does not really have the option of shutting down for 2 weeks. People and businesses needs access to their money. A bank that shut down for 2 weeks would be out of business.

Ripple?

[JaredOfEuropa]

I wonder why banks would rely on a crypto currency like Ripple, of which 60% is held by the company and a further 20% is held by the founders. I know why they use it today in some cases: to experiment with the tech in a nimble manner, by not having to rely on their own bloated, creaking mess of legacy systems held together with spit and bailing wire. But you don't need a "coin" to settle stuff over a block chain, you can just record everything in dollars.

Re:

[TubeSteak]

I wonder why banks would rely on a crypto currency like Ripple, of which 60% is held by the company and a further 20% is held by the founders.

The value of [coin] is completely arbitrary and doesn't matter.

If SWIFT wants to grab a million Bitcoin and declare that only those million Bitcoins will be part of their network, then who cares what "the market" thinks Bitcoin is worth? "The market" will treat those coins as if they're dead. Meanwhile SWIFT says 1 Satoshi = 1 US Dollar, making a SWIFTBitcoin worth 100 million USD and they're off to the races.

Except for the small problem that Bitcoin's throughput sucks, which is why various alternatives lik

Well, you know what they say...

[Entrope]

Thank goodness for stupid criminals.

All the stupid administrators in the world would really be up the creek without a paddle if many criminals were smart.

Storage drives need a read-only switch

[Solandri]

I've been saying this for over a decade: Put a physical read-only switch on storage drives (and motherboard BIOSes). Then design OSes to boot off a read-only device, with things that need to be written (like logfiles) going to a different drive. Same for programs - the OS should only allow programs on the boot device to run. Double-clicking an executable on another drive should pop up an error (unless the read-only switch of the boot device is off).

Then, once you have the computer set up as you want it with the OS and and desired programs running, you can flip the switch and lock down the system. Anyone who uses the computer, whether remotely or locally cannot change the OS or programs without first physically opening it up to flip the switch. A hack might open up a crack to let a hacker's foot in the door, but they cannot then leverage it to root the entire system. If they got in via a memory overrun exploit, then all the modifications they try to make to the system have to be done through that memory overrun exploit. Malware might be able to take hold, but it cannot write itself to automatically start next time the computer reboots. Malware wouldn't be able to cause computers to fail to boot. In fact a reboot would clear out any such malware, though it might still be attached to a data file if a program is vulnerable to it when the data file is read. (Ransomware wouldn't change since it already leaves the OS and program files alone - it just wouldn't be able to set itself to load and run every time the computer boots - it would need to finish encrypting your data before you rebooted your computer.)

Yes it would make updates a pain. But the need for regular updates would be substantially diminished since it'd be much harder for malware to exploit a known vulnerability. You could make updates a once a month or once every few months thing, instead of needing daily updates like we do today. And the need to shutdown the computer before you opened it up to flip the read-only switch would clear out any malware laying in wait for update day. You'd just have to make sure the update was the first (and only) thing you ran when you turned the computer back on.

Re:

[phantomfive]

I used to think you were right, but with the IoT, there are a lot of devices that do reset when they reboot, cleaning out any viruses that have infected. It turns out it doesn't matter, viruses like Mirai just re-infect the system after a reboot.

In addition, UEFI is so big and poorly thought out [blackhat.com] that persistence becomes possible, even below the OS level.

The ultimate point is that these companies don't care about security. Your idea would improve security, but it will never be implemented by companies w

Re:

[phantomfive]

btw, I should add that Kaspersky OS comes close to what you describe, in addition it only allows white-listed software to be run.

Re:

[llamalad]

I seem to recall that floppy disks used to have write protect capabilities.

As did USB flash drives.

And a bunch of work has been done on the idea about OSes running read-only. Search the web for "immutable infrastructure."

Why mess with the member?

[filesiteguy]

I am so glad my hard drive doesn't have a member.

I prefer using 5.25" floppies anyway.

any story containing the words "over 9000"

[weedjams]

is likely BS.

They DID steal $10m

[Bruce66423]

According to the update at the end of the article linked to in the OP, the hackers got away with the money. The article links to two Spanish language reports supporting this claim. Can someone check the Spanish and confirm please?

https://www.publimetro.cl/cl/n... [publimetro.cl]