March 12, 2020
To secure corporate data, network security administrators establish and apply inner encryption policies. Nevertheless, fraudsters often obfuscate their malicious activities while exfiltrating confidential data, rerouting data to C2-servers, or dropping malware.
January 7, 2016.
The Cayman National Bank and Trust (CNBT) discovered unauthorized series of SWIFT transactions, which weren’t processed according to the bank. As a result of the inner investigation, "CNBT believed they had been the target of a network breach."
A malicious actor (or a group) who is responsible for the attack goes by the name Phineas Phisher.
Some findings PwC concluded are as follows:
Reportedly, the bank fell victim to the phishing attack.
Nothing unusual here yet, right? Wrong.
As every email starts with a greeting, every phishing email campaign starts with a preparation.
The alleged scheme used to intrude looks as follows:
What was next, is not hard to guess.
The employee of CNBT clicked on the attachment, thus infecting the employee’s workstation. This fatal action, in turn, gave attackers access to the bank's network.
According to the PwC report: "Presumably, Adwind RAT is malware that was used […]."
Contrary to that claim, Phineas Phisher noticed another point of view: "I was just using Empire [RAT]. I didn't use Adwind, and maintained persistence with PowerShell Empire."
At the same time, PwC noted that they could not say for sure whether Adwind was or was not used to deliver the shellcode: "Due to the timeframe involved we are unable to determine if this malware is directly related to the recent incident. However, it would appear that this malicious email may be specifically designed and targeted to compromise CNBT."
Phineas Phisher had the answer to this too: "I got in through the same Sonicwall SSL VPN exploit I used against Hacking Team, not by phishing."
As it turned out, Phisher was not the only one who had plans for the bank, "someone else was randomly targeting the same bank around the same time."
Now, we’ve come to the point where the case takes a full U-turn.
Mentioned earlier SSL VPNs exploit leads us to the recent events connected with the Critical Remote Code Execution Vulnerability in some corporate VPNs. The flaw allows attackers to execute malicious code on targeted systems remotely.
Generally, corporate VPNs are used by remote employees to access resources safely on a company’s network. To sign in, employees must enter their corporate username and password.
Then, connecting over an HTTPS (SSL-encrypted) connection, providers create a secure tunnel between the employees' computers and the corporate network.
Needless to say, it is the easiest way to connect to the corporate network.
And the quickest one to compromise it.
Split Tunneling enables remote users to access both a local LAN or WLAN, and a public Internet network connection (VPN, namely in this case) concurrently. This provides an opportunity for an attacker to compromise the remote computer and gain network access to the corporate network.
In a Man-In-The-Middle (MITM) attack, an attacker intrudes in conversation between two parties (sender and recipient) to snoop and then steal their personal information.
During the attack, the attacker acts as a proxy/gateway with a forgery SSL VPN. Thus, the proxy/gateway collects credentials users enter.
Recently the security researchers discovered a pre-authentication remote code execution (RCE) vulnerability in SSL VPNs. And described the bug as a "format string vulnerability in the PAN SSL Gateway, which handles client/server SSL handshakes."
"The researchers found that the vulnerability exists because the gateway passes the value of a particular parameter to snprintf in an unsanitized, therefore exploitable, fashion. An unauthenticated attacker could exploit this vulnerability by sending a "specially crafted" request to a vulnerable SSL VPN target to remotely execute code on the system."
In other words, when inputted text isn’t properly understood by the system — it allows attackers to covertly break into a company’s network, even if they lack user credentials.
This bank fraud case described briefly above shows clearly that the network security model, that solely relies on TLS is not an option.
The answer to the question "How Many More Break-ins Have To Happen Before We Really Do Anything About It?" depends pretty much on how good we learned our lessons from cases like this.
For those organizations that aspire to preserve their corporate confidential data and business secrets untouched, StealthMail could be a good fit.
StealthMail is a solution developed to secure business email communication. It was designed with the idea of data always being encrypted, no matter if it is in transit or at rest.
The Secure Dynamic Network and Protocol technology, which underlies a protocol of transmitting data, secures data from the notorious cyber-attacks such as SSL/TLS vulnerabilities, MITM, BEC/EAC scams, domain spoofing, network-based threats, etc.To learn more about StealthMail, please download the datasheet at https://StealthMail.com/en/info.
Link copied to clipboard!