Security researchers have taken a deep dive into the cyber attack on the SWIFT/ATM infrastructure of Cosmos Bank, the recent victim of a $13.5m cyber-heist.

Experts at Securonix have outlined the most likely progression of the attack against the bank, the latest financial institution to face hacks blamed on state-backed North Korean hackers.

Cybercrims/spies most likely from the infamous Lazarus Group stole $13.5m from Cosmos Bank between August 10-13, as previously reported.

The breach involved an ATM switch and related SWIFT environment compromise that created two routes through which hackers cashed out, according to Securonix.

Either targeted spear phishing and/or a hack against a remote administration/third-party interface allowed hackers to gain an initial foothold in the Indian bank's network. Following subsequent lateral movement, the bank's internal and ATM infrastructure was compromised.

After the initial break-in, attackers most likely either leveraged the vendor ATM test software or made changes to the deployed ATM payment switch software to create a malicious proxy switch.

Hackers were then in a position to establish a malicious ATM/POS switch in parallel with the existing (legit) system before breaking the connection to the backend/Core Banking System (CBS) and substituting their own counterfeit system in its place.

Common banking ATM switch architecture

Details sent from a payment switch to authorise transactions were never forwarded to backend systems so the checks on card number, card status, PIN, and more were never performed. Requests were handled by the shadow systems deployed by the attackers sending fake responses authorising transactions.

This bogus system was used to authorise ATM withdrawals for over $11.5m through more than 2,800 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-Europay, MasterCard or Visa) debit cards in 28 countries, Securonix said.

Using MC [a malicious ATM/POS switch], attackers were likely able to send fake Transaction Reply (TRE) messages in response to Transaction Request (TRQ) messages from cardholders and terminals. As a result, the required ISO 8583 messages (an international standard for systems that exchange electronic transactions initiated by cardholders using payment cards) were never forwarded to the backend/CBS from the ATM/POS switching solution that was compromised, which enabled the malicious withdrawals and impacted the fraud detection capabilities on the banking backend.

Securonix rates the attack as far more sophisticated than bank ATM heists mounted by criminal gangs in Mexico, Russia and elsewhere that have focused on planting malware on targeted cash machines.

"The attack was a more advanced, well-planned, and highly coordinated operation that focused on the bank's infrastructure, effectively bypassing the three main layers of defence (PDF)," the firm said.

The crooks didn't stop there and further hacked Cosmos Bank's compromised network in order to authorise a $2m fraudulent transfer through the SWIFT inter-banking messaging network.

"On August 13, 2018, the malicious threat actor continued the attack against Cosmos Bank likely by moving laterally and using the Cosmos bank's SWIFT SAA environment LSO/RSO compromise/authentication to send three malicious MT103 to ALM Trading Limited at Hang Seng Bank in Hong Kong amounting to around US$2 million."

The attack bears hallmarks of the Lazarus Group including the use of Windows Admin Shares for lateral movement, using custom Command and Control (C2) that mimics TLS, adding new services on targets for persistence, Windows Firewall changes and a number of other techniques. A fuller run-down of Lazarus Group's techniques in general can be found in a wiki entry by Mitre here.

Securonix's research is designed to help banks increase their chances of detecting similar future attacks. ®