
Two Bytes to $951M - ernsheong
http://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html
======
colejohnson66
Can someone explain how the money just "disappears"? Do the thieves send it to
a bank account overseas and the receiving bank doesn't cooperate and send it
back? Wouldn't there be a log detailing exactly where the money was sent if
they bounced it through multiple banks? Could someone wire it to a bank,
withdraw it as cash, then deposit it somewhere else?

~~~
funkyy
You can simply re-wire money between different jurisdictions. Lets say you
send money to Phillipines -> Gibraltar -> Caymans -> Russia -> UK -> Panama ->
Switzerland

Because each country is on different continent, following different rules and
laws, accessing data is extremely hard.

Many countries from different geographical locations wont be happy to give
access to banking information.

Before they can track the money, it will be deposited to shell company. With
amounts like that there are often bigger powers that will help make them
disappear, like politicians and bank executives.

I personally have been dealing with banks on higher level and their
willingness to ignore the rules and regulators is enormous. Thats in EU, I
believe in countries like Gibraltar or Cayman Islands must be pretty easy.

~~~
ben_jones
It reminds me of Wolf of Wall Street and the Swiss banker. If I was ever
involved in such a situation I'd be expecting to call the banker (who's
complicity laundering) and hear "what money? you have no money with us).

~~~
slmyers
A few reasons why the "banker" may not be interested in stealing your money.

1) In the black markets reputation is meaningful... if word gets around that
you rip people off, then you might have trouble finding more customers.

2) Stealing that much money is a good way to get killed. I wouldn't put it
past a powerful white collar criminal to organize a murder or two.

------
therein
Great write up and it certainly sounds like an inside job. I mean, it seems
the authors of the malware had an incredible amount of insight into the entire
SWIFT platform anyway.

~~~
dogma1138
SWIFT documentation is available. There are tons of IT workers familiar with
SWIFT, I've tested SWIFT GW implementations at at least 10 institutions,

Registering for SWIFT training is easy enough, especially in developing
countries where verification can be harder achieve.
[https://www.swift.com/our-
solutions/services/training?AKredi...](https://www.swift.com/our-
solutions/services/training?AKredir=true)

Gaining access to swift.com through either "proper" registration or phising
will get you access to the SWIFT SDK as well as tons of other material. So no
sorry but to me and to anyone else who's even remotely familiar with how
shitty SWIFT and usual banking internal security is, it doesn't sound like an
inside job, just a job well done.

~~~
breakingcups
Did I read it correctly that the malware had the name of the printer embedded
in it? The sentence 'The PCL language used specifies the printer model, which
is "HP LaserJet 400 M401"' seems to suggest it did.

This strongly points to an inside job, but does not exclusively prove it.

~~~
dogma1138
No it only shows they've done their homework. Allot of the "security" of
banking processes is based on human verification often via phone, fax,
printing etc. so it's not surprising that they've compromised the printing
process because that would flag the transactions immediately as the process
mandates for the printout to be reviewed (and usually singed, and then filed
with compliance).

If you can present an all clear signal to the bank staff at all the immediate
human readable interfaces no one would notice, at best the fraudulent
transactions would be detected 30+ days down the line when the banks perform
account consolidation.

This is a good post about how money moves around between banks
[https://gendal.me/2013/11/24/a-simple-explanation-of-how-
mon...](https://gendal.me/2013/11/24/a-simple-explanation-of-how-money-moves-
around-the-banking-system/) it doesn't go into payment/messaging systems (i.e.
SWIFT) too much which is a good thing but it does explains how bank handle and
settle transfers.

SWIFT is a glorified messaging service for banks, that's how it started, today
allot of "out of the box" applications have been developed on it but in it's
core SWIFT is just a trusted network that enabled it's members to securely
transfer messages between each other, these messages often end up being used
to facilitate transactions but they aren't what actually moves money around.

------
lifeisstillgood
Wow.

tl;dr - the recent SWIFT / Bangladesh heist has been followed from outside by
BAE systems of all people and they analyse some malware. It reminds me little
more than what I would expect a (malicious) set of scripts developed by a good
inhouse IT team to look like as they solve some MIS problem. It's that custom-
built.

The main .exe replaces the eponymous two bytes in the swift system, preventing
it from executing code if a check fails (presumably a swift authorisation
check to access the underlying Oracle DB). This is a JNZ instruction in the
target application and even I remember this one.

Then there is code dealing with SQL statements, so it can both delete
malicious swift instructions from the local database and inject its own(?) and
even tampers with the local printer to delete confirmation messages (where
presumably hard copies of each transaction as printed). The actual printer
model is it seems hard coded in the attackers toolkit.

This has several lessons, firstly if you have something valuable someone will
really work hard to attack you specifically. Second there is really no excuse
anymore not to move every OS over to randomised memory location access, and
more. But even so I am not convinced this would help here. The specificity of
the attack is incredible.

Lastly, Already modern software development seems to be about duct taping
together other people's code and stopping once it "works". The cost of
developing secure systems is way beyond the cost of developing "works on my
machine" systems, and that cost needs to be raised at a business level as an
insurance premium. Then we can make sensible trade offs. Not sure there is a
961M dollar trade off but still.

~~~
matheist
_Second there is really no excuse anymore not to move every OS over to
randomised memory location access, and more. But even so I am not convinced
this would help here._

It might make it harder... but in this case couldn't an attacker search the
entire address space for the location of the library? ASLR protects against
buffer overflows as an attack vector, but here the attacker already has
access.

(I'm no expert and would appreciate correction.)

~~~
lifeisstillgood
To be honest the attack space for 2 malicious bytes in a system of phones,
routers, servers and applications consisting of what, trillions of bytes of
code, is so mind bogglingly huge that even the experts arent experts.

At some point we need to go back to secure kernels only a few thousand lines
long and they ddole out permissions and access - making all attack vectors
ridiculously harder.

Can we do it? Will Facebook hand over its billions to the project? Will
anyone?

~~~
noir_lord
> Can we do it? Will Facebook hand over its billions to the project? Will
> anyone?

At some point the cost of not doing it will exceed the cost of doing it, I'm
not sure what it would actually take, shit security already costs tens of
billions a year to the global economy and people just accept it.

~~~
marcosdumay
> At some point the cost of not doing it will exceed the cost of doing it

Will something like this really cost more than $900M?

------
madaxe_again
Wait, is this write up by BAE systems, as in British aerospace engineering?

If so, I'm scratching my head, as it appears they _do_ have knowledgeable
infosec people, but their security is laughable. Anyone want schematics and
parts lists for anything they make? There's an email address you can send a
message to that will respond with them. All plain-text, no validation.

The attitude that good security costs trillions and is therefore unattainable
is all pervasive.

~~~
ceejayoz
> Anyone want schematics and parts lists for anything they make? There's an
> email address you can send a message to that will respond with them. All
> plain-text, no validation.

This seems like an odd complaint. I can do this with my car and dishwasher,
too. Unless BAE makes classified military stuff they're exposing in this
manner it seems less like a security hole and more like a useful thing for
people maintaining the stuff they manufacture.

~~~
userbinator
Indeed, that sounds like "a feature, not a bug". A lot of other companies
don't even bother answering if you ask them for such things.

------
Paul_S
The world banking system runs on windows? Of all things in that article this
was most surprising to me.

~~~
Drdrdrq
Serious question: what OS should it run on? I agree that Windows is a bad
choice but other options are not much better as far as security (for this kind
of attacks) is concerned... Are they?

~~~
Retric
BSD UNIX can be good from a security standpoint. But, there are also OS out
there written from the ground up to be secure.

~~~
Drdrdrq
Sure, but this attack modified local binaries so that they performed
operations for attackers. How do you fight that?

~~~
Retric
The short answer is to only run signed binary's and or not allow new code at
all. How to manage that while maintaining flexibility and minimizing costs
ends up getting really complex. But, really there is a long continuum between
say a personal blog at one end and an ICBM at the other. IMO, the banking
system is at the high end of that scale.

------
jtchang
This is some real life swordfish shit right here. This is not some run of the
mill trojan keylogger. Whoever wrote this had plenty of access and time to get
the malware correct.

~~~
yompers888
Is there a nation-state actor who would have cause to put forth these
resources to disturb the Bangladeshi central bank?

~~~
meowface
Pure speculation, but impressive as this is, it feels just amateurish enough
to not be a nation-state. They made some mistakes like typos in the sending
address of the wire recipient, and also made the attack discoverable the
night/morning after, when an employee noticed SWIFT reports weren't printing
properly.

I think they were probably just in it for the money.

~~~
yompers888
Ok, fair enough. I could have seen it being either way, but I've mostly only
read the big reports about nation-state actors, so I'm probably biased to see
it that way.

As a separate note, state actors can be very amateurish. The Chinese did
things, as disclosed by the Mandiant APT1 Report, like taunting users, using
very non-native English phishing messages,and leaving plaintext signatures as
a means of bragging.

------
jokoon
Wow, they even knew the model of the printer?

------
Bromskloss
> we’ve recently identified tools uploaded to online malware repositories

Why were they uploaded there, and where are said repositories?

------
adriancooney
I love these write ups! Does anyone know where I can find more like this and
disclosures (like the Hacking Team)?

~~~
firasd
I just finished reading this: The Hack at ShapeShift
[http://moneyandstate.com/looting-of-the-
fox/](http://moneyandstate.com/looting-of-the-fox/)

------
fareesh
If this is not an inside job I'd be extremely impressed and interested to hear
how they did it.

------
mburst
Sounds like an inside job. Really cool write up!

------
webXL
"Many pieces of the puzzle are still missing though: how the attackers sent
the fraudulent transfers; _how the malware was implanted_ ; and crucially, who
was behind this."

Well, we have a clue for piece #2:

"... sends result to attacker domain over HTTP"

How the hell does _that_ happen in this day and age? You trust any traffic
coming out of your network??

------
discardorama
"nroff_b.exe" ?!? Did these guys _really_ have to drag nroff into this??
Better look for an old-school Unix hacker.

------
jaytaylor
Interesting that this has been previously submitted five times and only caught
on now.

------
metaphor
> ...but the main focus of the report will be on
> 525a8e3ae4e3df8c9c61f2a49e38541d196e9228 as this is the component that...

Apparently, evtdiag.exe was irreparably ambiguous. =|

~~~
timrogers
I guess they were trying to say _this_ version of evtdiag.exe. But I still
agree it was a little unnecessary.

------
sonoffett
I wonder if a Blockchain system would mitigate the feasibility of this kind of
attack and make it easier to trace the destination of the stolen funds?

~~~
dangero
A basic blockchain system would not necessarily change the feasibility of this
attack, but it would probably make it easier to trace the funds. The crux of
this attack is that the transacting and reporting computer were compromised.
This means that fraud transactions were initiated and then notifications of
those transactions were removed from the reporting machine. With a blockchain
system I could see a similar outcome if the transacting and reporting machines
were compromised. Of course, with a blockchain system there are many ways you
could improve security to decrease the chances of this attack:

1\. Multi-signature transactions could require a hacker to compromise multiple
machines possibly on separate network segments. 2\. Multiple reporting and
auditing machines could be employed on several separate networks to again
increase intrusion requirements.

I suspect SWIFT already allows for or could employ similar methods on their
network to mitigate these types of scenarios as well.

~~~
RockyMcNuts
Trace the funds to where? an Internet cafe in an ex-Soviet nation where they
were split up into smaller amounts to be put in cold storage? then what, when
those smaller amounts start being used to buy gold 5 years later? Isn't the
whole point of Bitcoin that any transfer is irreversible, and it's hard for
authorities to interfere and regulate, unlike say USD?

~~~
dangero
The question was about blockchain not bitcoin, so I'm assuming the correlary
is a private shared blockchain used to replace SWIFT between a consortium of
banks. Bitcoin would not make sense as a SWIFT replacement because it's
completely public. Banks have no interest in showing their balance sheets to
the general public.

~~~
bachback
We're doing something like this with lykke.com. Fiat money are implemented as
Colored Coins on top of Bitcoin. It has a range of advantages over pure fiat -
tracking of issuance publicly, lower settlement times, integration with smart
money capabilities of Bitcoin, and more.

------
djmips
That looks easier than cracking games!

------
tonmoy
Control flow guard
([http://research.microsoft.com/pubs/64250/ccs05.pdf](http://research.microsoft.com/pubs/64250/ccs05.pdf)
[2005]) could have prevented this attack. I think most modern programs use
stack guards, so this should not be too hard to include either.

~~~
userbinator
"CFI requires that, during program execution, whenever a machine-code
instruction transfers control, it targets a valid destination, as determined
by a CFG created ahead of time."

That wouldn't do anything for this. If you can change arbitrary bytes of the
binary and have it execute, you can rewrite the whole thing, including
patching out all these extra checks too.

------
rubyfan
nop strikes again! many a cracked shareware have fallen to this simple trick

------
jbverschoor
Not too impressed by the NOP. But loving the print job :)

------
known
Best I read in HN till date;

------
known
Is there no audit system ?

~~~
chillydawg
Printer! :D

------
willvarfar
How can the user install software on a node authorizing payments? Once they do
that, why can the Trojan read/write code?

Very shoddy terminal security :(

We can guess that the Bank of Banglesdesh uses not-locked-down Windows
desktops to run their system.

~~~
ianpurton
You guessed wrong.

------
Steeeve
> This malware was written bespoke for attacking a specific victim
> infrastructure,

Nothing in the post indicates that it was specific to a single victim.

The JNZ update was something everyone used to do to get rid of nag screens in
shareware. I'd be very surprised if there wasn't a generic utility for
extracting the locations of the right bits at this point, but either way it's
a simple process for finding them.

Going after the print files just indicates familiarity with SWIFT and PCL.

It doesn't actually look like a particularly clever attack to me, at least not
from what's in this article. Very basic security mitigations would have
prevented it. (Like validating oracle files)

