Lessons learnt from cosmos bank attack

In August this year, Cosmos Bank became the latest victim of a major cyber-attack. Hackers breached the bank’s ATM switch server in Pune, stealing details of multiple Visa and Rupay debit card owners. The details were then used to carry out around 12,000 fraudulent transactions across 28 countries on August 11 – with a further 2,841 transactions taking place in India.

The attack didn’t stop here. Two days later, on August 13th, in another malware attack on the bank’s server, a SWIFT transaction was initiated – transferring funds to the account of ALM Trading Limited in Hanseng Bank, Hong Kong.

The total losses from the attack stand at INR 94 crore, or 13.5 million USD. Cosmos Bank was forced to close its ATM operations and suspend online and mobile banking facilities.

How did the attack happen?

• Malware attack: The core banking system (CBS) of the bank receives debit card payment requests via a ‘switching system’. During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system.
• ATMs compromised: When depositors withdraw money at ATMs, a request is transferred to the respective bank’s CBS. If the account has sufficient balance, the CBS will allow the transaction. In the case of Cosmos Bank, the malware created a proxy system that bypassed the CBS. While cloning the cards and using a ‘parallel’ or proxy switch system, the hackers were able to approve the requests – withdrawing over INR 80.5 crore in approximately 15,000 transactions.
• Reserve Bank of India (RBI) guidelines: RBI has clear guidelines to protect against incidents such as the Cosmos Bank attack which must be followed. The security measures across Indian banks are moderate and given the high level of coordinated international attacks, all banks need to upgrade their security mechanisms.

Why is this attack more serious?

Just a few days prior to this attack, the American FBI had warned banks of a major hacking threat to ATMs worldwide. According to Krebs On Security, the influential cyber-security blog run by journalist Brian Krebs, a confidential alert to international banks informed them that criminals were plotting an imminent, concerted global malware attack on ATMs.

Smaller banks with less sophisticated security systems were believed to be most vulnerable to attack – with a scheme known as ‘ATM cash-out’ as the likely approach that the criminals might take. This is where crooks hack a bank or payment card processor and use cloned cards at ATMs around the world to fraudulently withdraw millions of dollars in just a few hours.

Banking experts and industry players fear this could be a ‘pilot run’ unless the authorities take the attack seriously. Essentially, this malware attack was not against any bank but rather, the banking system. It was carried out at international scale in a meticulously coordinated manner.

Alert type – Severe

How can I protect my enterprise?

To defend your company from the spread of malware, it’s essential that you are equipped to detect and defeat such threat in real-time.

These are our recommended immediate best practices:

1. Back up data regularly – verifying data integrity and testing the restoration process
2. Secure your offline backups – ensuring backups are not connected permanently to the computers and networks they’re backing up on
3. Audit firewalls, servers and Intrusion Prevention System (IPS) configurations – block access to known malicious IP addresses & Server Message Block (SMB) ports 139 and 445, and disable SMBV1 and Windows Management Instrumentation Command Line (WMIC) in servers and Active Directory (AD)
4. Patch operating systems, software and firmware on devices – use a centralised patch-management system
5. Scan all incoming and outgoing emails – detect threats and filter executable files from reaching end users using sandboxing
6. Enable strong spam filters to prevent phishing emails – authenticate inbound email using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) to prevent spoofing

Be prepared

Enterprises need to ensure that security is inbuilt end-to-end – starting at the very beginning. Protecting your network should be the #1 priority to safely extend your reach virtually anywhere. Solutions such as our Managed Security Services offer 24/7/365 security.

Talk to us now or learn more about our Managed Security Service for ransomware protection.