To secure corporate data, network security administrators establish and apply inner encryption policies. Nevertheless, fraudsters often obfuscate their malicious activities while exfiltrating confidential data, rerouting data to C2-servers, or dropping malware.
The Story With An Unusual Twist
January 7, 2016.
The Cayman National Bank and Trust (CNBT) discovered unauthorized series of SWIFT transactions, which weren’t processed according to the bank. As a result of the inner investigation, "CNBT believed they had been the target of a network breach."
A malicious actor (or a group) who is responsible for the attack goes by the name Phineas Phisher.
Some findings PwC concluded are as follows:
- Evidence from the PwC investigation suggests that the attacker(s) was able to gain privileged remote access to individual employee systems and the server estate.
- The attacker(s) used their privileged remote access and malware to navigate the CNBT network, identify and view documentation that helped them understand payment processes, and subsequently processed a series of fraudulent transactions.
- The attacker(s) used legitimate account credentials and malicious software to gain unrestricted administrative access to the CNBT network and systems, allowing them to navigate the CNBT network in much the same manner as internal system and network administrators would be able to.
Reportedly, the bank fell victim to the phishing attack.
Nothing unusual here yet, right? Wrong.
Phishing That Was Not There
As every email starts with a greeting, every phishing email campaign starts with a preparation.
The alleged scheme used to intrude looks as follows:
- Executed a successful EAC (Email Account Compromise) attack.
- Sent a phishing email from the spoofed email account csdeployment@swift.com from the typo-squatting (a fake URL, relies on typos made by users when inputting a URL address) domain cncim [.] com. to a bank employee.
- Attached the file, that contained malware.
What was next, is not hard to guess.
The employee of CNBT clicked on the attachment, thus infecting the employee’s workstation. This fatal action, in turn, gave attackers access to the bank's network.
The Attacker’s Lock-Pick Set
According to the PwC report: "Presumably, Adwind RAT is malware that was used […]."
Contrary to that claim, Phineas Phisher noticed another point of view: "I was just using Empire [RAT]. I didn't use Adwind, and maintained persistence with PowerShell Empire."
At the same time, PwC noted that they could not say for sure whether Adwind was or was not used to deliver the shellcode: "Due to the timeframe involved we are unable to determine if this malware is directly related to the recent incident. However, it would appear that this malicious email may be specifically designed and targeted to compromise CNBT."
Phineas Phisher had the answer to this too: "I got in through the same Sonicwall SSL VPN exploit I used against Hacking Team, not by phishing."
As it turned out, Phisher was not the only one who had plans for the bank, "someone else was randomly targeting the same bank around the same time."
Now, we’ve come to the point where the case takes a full U-turn.
Shedding Light On The SSL VPN Vulnerabilities
Mentioned earlier SSL VPNs exploit leads us to the recent events connected with the Critical Remote Code Execution Vulnerability in some corporate VPNs. The flaw allows attackers to execute malicious code on targeted systems remotely.
Generally, corporate VPNs are used by remote employees to access resources safely on a company’s network. To sign in, employees must enter their corporate username and password.
Then, connecting over an HTTPS (SSL-encrypted) connection, providers create a secure tunnel between the employees' computers and the corporate network.
Needless to say, it is the easiest way to connect to the corporate network.
And the quickest one to compromise it.
Split Tunneling
Split Tunneling enables remote users to access both a local LAN or WLAN, and a public Internet network connection (VPN, namely in this case) concurrently. This provides an opportunity for an attacker to compromise the remote computer and gain network access to the corporate network.
Man-In-The-Middle Attack
In a Man-In-The-Middle (MITM) attack, an attacker intrudes in conversation between two parties (sender and recipient) to snoop and then steal their personal information.
During the attack, the attacker acts as a proxy/gateway with a forgery SSL VPN. Thus, the proxy/gateway collects credentials users enter.
Minor Bug Major Harm
Recently the security researchers discovered a pre-authentication remote code execution (RCE) vulnerability in SSL VPNs. And described the bug as a "format string vulnerability in the PAN SSL Gateway, which handles client/server SSL handshakes."
"The researchers found that the vulnerability exists because the gateway passes the value of a particular parameter to snprintf in an unsanitized, therefore exploitable, fashion. An unauthenticated attacker could exploit this vulnerability by sending a "specially crafted" request to a vulnerable SSL VPN target to remotely execute code on the system."
In other words, when inputted text isn’t properly understood by the system — it allows attackers to covertly break into a company’s network, even if they lack user credentials.
Lessons Must Be Learned
This bank fraud case described briefly above shows clearly that the network security model, that solely relies on TLS is not an option.
The answer to the question "How Many More Break-ins Have To Happen Before We Really Do Anything About It?" depends pretty much on how good we learned our lessons from cases like this.
For those organizations that aspire to preserve their corporate confidential data and business secrets untouched, StealthMail could be a good fit.
StealthMail is a solution developed to secure business email communication. It was designed with the idea of data always being encrypted, no matter if it is in transit or at rest.
The solution:
- explicitly identifies both senders and recipients;
- encrypts the sensitive data all the way in: from the moment senders put any piece of information into an email till the moment recipients query to decrypt it;
- excludes the actual transferring of the content and its attachments. Instead of sending data directly, the solution sends a crypto link only, which refers to it. By its design, link is useless and does not comprise any payload;
The Secure Dynamic Network and Protocol technology, which underlies a protocol of transmitting data, secures data from the notorious cyber-attacks such as SSL/TLS vulnerabilities, MITM, BEC/EAC scams, domain spoofing, network-based threats, etc.To learn more about StealthMail, please download the datasheet at https://StealthMail.com/en/info.
Link in die Zwischenablage kopiert!