
Bangladesh Bank hackers compromised SWIFT software, warning issued - mattingly23
http://www.reuters.com/article/us-usa-nyfed-bangladesh-malware-exclusiv-idUSKCN0XM0DR
======
zhte415
Regarding title and careless use in article:

SWIFT is not a system.

SWIFT is an instruction protocol tied to a network that SWIFT Alliance Access
(mentioned in article) gives access to, SWIFTNet.

Without going into details of failings of SWIFT authentication, which are few,
this appears to be simple phishing:

The use of malware, suggested here, seems simple:

* There are a lot of manual steps in fund transfers that are either initiated manually (submitting a paper-based payment request, or even change to a company's authorised signature list) or requiring various manifests such as letter or credit clearing.

* Malware means the typical system of checking inputs are indeed true and correct (an inputter of the paper form, and a checker to verify it is true and correct) can be disrupted by replacing the scanned file between scanning and input (based on scan) or direct system access changing key numbers of codes.

* This comment is not a slight on Bangladesh. It is a general comment on developing economies I've interacted with in banking operations across Asia: Staff are often under-trained at a branch level and expected to perform a multitude of tasks under under-trained management. Local actors, for example local banks, often have completely insecure systems compared to international banks despite acting as correspondent bank in many transactions (added to the security-failure tool-chain). This is in contrast with outsourced operations in similar countries that run large service centers and most-often do an excellent job.

This appears to be fully not an error of SWIFT, but of using (the power of)
SWIFT in combination with discrete and serious errors in injecting false
records in non-audited/un-auditable systems that interact with SWIFT
instructions and SWIFTNet.

~~~
jcoffland
I'm assuming the Bangladesh bank did not write their own software so these
vulnerabilities must also exist at other banks on the SWIFT network. SWIFT is
just a protocol but any bank who signs on to SWIFT must also have software
which implements SWIFT and therefore is potentially vulnerable to similar
attacks. I'm sure this prospect terrifies the banking industry but it cannot
be explained away. These risks exist even for Western banks.

~~~
zhte415
Indeed.

However, that malware is indicated suggests this could be to lax local lock-
down of PCs. Pretty common. International banks should be pretty locked-down,
but no reason to be complacent. I imagine various regional and country heads
of compliance are aware of this right now, or have been already.

What is likely worrying local bank security managers is just how many VBA-type
programs they're running as quick-fixes to operational problems that are
vulnerable, the weak links. The number of hacked-together-at-the-weekend-
bought-in-services in banking is astounding, especially in emerging markets.

Yes, these hack/programs exist in established international corporate banks.

~~~
DanielDent
Once upon a time I did some work at a software firm which serviced financial
institutions, including many very recognizable names.

I came into work one day and a colleague had a piece of paper on his desk
requesting that we not touch his machine.

A macro was running which was switching between two open programs,
highlighting fields, and copy and pasting data.

I'm still not sure if I should be alarmed or in awe. It was probably the most
sensible option of the available options...

------
pieter1976
_The malware looks for processes with with a specific DLL loaded in it and
then will replace two specific bytes with other instructions, which
essentially trick the process into thinking an important check has been done._

It replaced a JNZ with NOP NOP. The BAE Systems blog post has lots of
techincal detail: [http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-
to-951m...](http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html)

~~~
masklinn
> It replaced a JNZ with NOP NOP.

That's some good old-fashioned straightforward DRM cracking right there, I'm
getting flashbacks from the 90s.

~~~
kchoudhu
Would ASLR have helped here? I feel like once they knew where the library was
loaded in memory, all hope was lost.

~~~
MichaelGG
No, they we're already running code on the box with high enough permissions,
so they're allowed to inspect processrs and do whatever is necessary. No
C-like memory protection stuff matters at that point.

What would have prevented it was not letting them have root in the first
place. Perhaps by running with Software Restriction Policies so only a
whitelist of binaries can run in the first place.

------
wrong_variable
$951M may not seem like a lot of money from a westerner's perceptive - but
that is 0.5% of the GDP of Bangladesh.

Imagine if close to 1 Trillion $ was stolen from the Federal Reserve !

Edit - apparently its 85 Billion - not 1 Trillion - pretty embarrassing since
I have a degree in maths -> shame .. ding ding .. shame.

~~~
musesum
All but $81M was recovered.

~~~
MichaelGG
How is it not all recoverable? Are there still banks that are non cooperative?

~~~
aianus
Maybe they withdrew some of it in cash. I don't see why some foreign bank
should be on the hook once the funds have cleared and been withdrawn by the
thieves.

~~~
MichaelGG
Just seems like it'd be hard to make off with significant amounts of cash.
They must be really running.

------
dafrankenstein2
Its funny that the government here says that they are making 'Digital
Bangladesh' while they cant even protect the central bank's IT
infrastructure..

------
gjolund
$81 million. I wonder how many people were involved.

I need to clean up my resume.

------
known
Why USA has not flagged suspicious transactions?
[https://en.wikipedia.org/wiki/Society_for_Worldwide_Interban...](https://en.wikipedia.org/wiki/Society_for_Worldwide_Interbank_Financial_Telecommunication#United_States_of_America_government_involvement_in_SWIFT_matters)

------
andrewvijay
It looks to me like it was done by an insider.

~~~
fweespee_ch
[https://www.schneier.com/blog/archives/2011/06/yet_another_p...](https://www.schneier.com/blog/archives/2011/06/yet_another_peo.html)

> Computer disks and USB sticks were dropped in parking lots of government
> buildings and private contractors, and 60% of the people who picked them up
> plugged the devices into office computers. And if the drive or CD had an
> official logo on it, 90% were installed.

It sounds more like someone left usb sticks with logos on them in the parking
lot.

------
jagermo
Was that the same bank that used a 10 $ router instead of a real firewall?
[http://www.bbc.com/news/technology-36110421](http://www.bbc.com/news/technology-36110421)

------
zamalek

        B8 01 00 00 00    mov  eax, 1   ; never reached: set result to 1 (fail)
    

This is why you should always _initialize_ variables to "fail" in secure code,
although in this case it probably wouldn't have helped.

~~~
MichaelGG
Would not the compiler be free to change around things during optimization?
Fail secure is more a protection against logic bugs in your code.

------
lossolo
And they used network equipment for 10$ (switches etc)..

------
dang
We changed the URL from [https://www.onthewire.io/massive-bank-of-bangladesh-
attack-h...](https://www.onthewire.io/massive-bank-of-bangladesh-attack-hit-
swift-payment-system/) to this one, which other users posted and which seems a
bit more substantive.

There's also
[https://news.ycombinator.com/item?id=11563690](https://news.ycombinator.com/item?id=11563690)
which seems to be the technical analysis referred to by the story.

------
zepatos
As far as I'm concerned, they had it coming. Completely their fault for having
such terrible security, and frankly, they deserve it.

~~~
manigandham
Nobody "deserves" this.

~~~
fapjacks
I can think of a few people/organizations that "deserve" to have their coffers
emptied. Not Bangladesh, but there _do_ exist people that deserve it. I'm sure
you can think of some, too, if you put some thought into it.

