In early March, malicious hackers stole $80 Million from a U.S. Federal Reserve account for Bangladesh’s central bank. Early investigation found that the attackers used stolen credentials for the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment processing network to attempt nearly $1 Billion in fraudulent transfers before the compromise was discovered. SWIFT is a messaging network that banks primarily use to send payment orders between one another. SWIFT hardware is deployed on-premises at financial institutions and then connected back to central data centers using IP network infrastructure.
This month, investigators discussed some of the security failures that made this attack possible. As it turns out, Bangladesh’s central bank used cheap unmanaged switches on their internal network and, worse yet, completely lacked any firewall. The SWIFT equipment, while in a separate room, was only separated from the rest of the building’s network by a $10 second-hand switch.
While we still don’t know all the details behind this attack, we can begin to see why the criminals succeeded. Without proper network segmentation, attackers can move laterally between hosts unhindered and undetected. If the attackers were able to compromise a single host, perhaps through a phishing attack or an infected USB drive, they could then easily pivot and compromise the SWIFT systems on the same network.
It is not clear whether the bank’s complete lack of network security was an attempt to save money, or just plain incompetence. Regardless, you can use this incident as an opportunity to refresh some important network security basics. Administrators should always deploy critical systems on a separate network from general workstations, whether by the use of VLANs or even different physical cabling. Not only should you leverage a firewall to segment those networks and to inspect inter-network traffic, but you should use a UTM appliance that also scans the traffic that you do allow between the segments. Not only could a proper firewall implementation have protected Bandladesh’s central bank from losing $80 Million, it could have also provided important visibility into the attack to help identify the criminals and prevent them from attacking again elsewhere. — Marc Laliberte
I don’t think the bank are the only people at fault here. SWIFT should be less concerned about ubiquity and more concerned about ensuring a minimum level of security is applied to their equipment, by themselves. If you can’r ensure the organisation, where your equipment is being installed, is adequately secured, you have to ensure your own systems are secured independently.