In May 2019, the cybersecurity team at Barac identified an Advanced Persisting Threat (APT) targeting a global financial institution using very advanced encryption to evade detection. The structure, complexity and certain characteristics of the compromise led the team to believe the threat was likely to have originated in North Korea.
The bank at the centre of this attack is headquartered in Africa and operates in several countries across Southern Africa. It provides both wholesale and retail banking services, together with insurance, asset management and wealth management solutions.
This sophisticated attack focused on extracting money from a number of high-net-worth corporate accounts, via the SWIFT Payments infrastructure. The threat was uncovered during a period when the hackers where testing the integrity of the extraction process, when Barac identified a regular pattern of encrypted traffic leaving the bank’s head office network. On investigation, it became apparent this was command and control (C+C) traffic which was sending information to suspicious servers based in Bulgaria, leveraging encrypted certificates signed in North Korea. The bank was able to link this activity to number of small monetary transfers that were made from the targeted accounts to banks, again, based in Bulgaria.
- This was a very advanced, multi-faceted and highly targeted attack that had been carefully crafted and required considerable research and effort to set up
- The entire attack had been architected to work under the radar of the highly sophisticated security controls used by the financial institution’s head office
- In particular, the compromise used multiple websites and encryption to obfuscate the C+C traffic and therefore evade these security controls
- The attack was designed to steal money from high-net-worth corporate account holders
- The attack had just started when it was detected. A small number of low value monetary transfers to external accounts in Eastern Europe had already taken place to test the exfiltration method
- The tools and methods used were extremely advanced and therefore characteristic of a nation-state attack. Furthermore, the certificates used to encrypt the C+C traffic were signed in North Korea
- The attack was detected using the Barac behavioural analytics model, which scans the metadata of encrypted traffic in order to spot patterns, anomalies and suspicious behaviour, all without the need for decryption
- Once the threat was identified, the Barac team worked in conjunction with the bank to conduct detailed investigations of the entire attack and to test for additional breaches
- In particular, the Barac Encrypted Traffic Visibility (ETV) platform was deployed to monitor encrypted traffic leaving all of the financial institution’s subsidiaries and a similar compromise was found in the operations of another subsidiary other than the head office
- A profile of the attack has since been added to the Barac ETV platform in order to protect other customers from similar attacks.
The challenge of identifying encrypted threats
The use of encryption is increasing but, with it, so is the challenge facing businesses, which must scan this traffic in order to identify and block threats.
There are two ways to analyse encrypted traffic for malware, either decrypt the traffic before scanning it or analyse the metadata from the traffic. The first method – decryption – raises concerns around, privacy, certificate management, latency and scalability, as the packet needs to be fully ingested before it can be decrypted. In contrast, scanning the traffic metadata does not require the decryption of the payload; instead it uses information derived from the session setup and historical information, such as traffic patterns, to risk score the session.
Banks have long been a primary target for hackers. Research from Accenture and the Ponemon Institute estimates that cybercrime cost financial institutions an average of $18.28million in 2017.
Malicious actors are aware of the levels of encrypted traffic that businesses need to deal with and use this to their advantage, using encryption to evade detection of their activities. This malicious behaviour comes in many forms, such as hiding the delivery of malware for the initial infection to hiding exfiltration of data when the attack is successful.
Most malware has some form of call home to the C+C servers, which enable the malicious actors to control what is happening. Again, this call home can be encrypted to avoid detection.
As Gartner commented in its 2017 Hype Cycle for Threat-Facing Technology Report: ‘Evolutions of ransomware that leverage encryption for malware delivery and command-and-control communications will have higher financial costs because of longer time before detection. The value of network security controls will decrease because of encrypted web traffic blindness.’
The Barac ETV platform helps organisations detect attacks and malware on encrypted traffic without decryption. Barac has seen a constant increase in the number of attacks that are using encrypted traffic
The attack in detail
This was a very sophisticated attack. The attack used encryption and adopted common traffic patterns and profiles to mask its action. The victim was a leading financial institution, with several subsidiaries that cover Southern Africa.
All traffic exiting the financial institution is encrypted. The attackers took the same approach, hiding the C+C traffic within encrypted traffic flows so everything appeared normal. The attackers also used a number of fake (spoofed / mangled) websites in Bulgaria for the C+C structure. This meant that the traffic flows appeared to be directed to legitimate sites.
Nevertheless, the Barac ETV platform flagged these sessions as risky. The ETV is able to look at multiple metrics – taking into account how these metrics interact over time – in order to create an accurate risk score for the encrypted traffic flows. Using this approach, it can flag how small, often easy-to-miss, anomalies in encrypted traffic metadata could actually signal a sophisticated threat.
Here are some of the metrics that caused the encrypted traffic leaving the bank’s infrastructure to be scored as high-risk:
- The Domain Name Server (DNS) risk score was high because its name appeared to have been spoofed
- There was also a problem with the DNS registry; while it was registered in Bulgaria, the certificates were signed in North Korea
- The sessions were open for exactly the same duration and the levels of outgoing / ingoing traffic were unusually high; these characteristics can be an indicator of a C+C call home message and the exfiltration of data
- The cipher suite proposed and used in the attack were always the same moderate ciphers, which were not common in the normal traffic flows.
The Barac ETV engine used the above metrics, as well as many others, to risk score these sessions. This risk score was then fed to the financial institution’s Security Information and Event Management (SIEM) solution for further investigation.
After isolating the encrypted traffic in a sandbox and then decrypting it, it was apparent it contained C+C software. Upon further investigations of the affected endpoints, a number of identical small-value money transfers were discovered, which had been made to test the money exfiltration mechanisms.
The bank has subsidiaries in several countries; each operates its own infrastructure. When the attack was detected in the head office network, Barac was then asked to analyse the traffic traversing the other subsidiaries’ infrastructures, where it identified the same attack profile in the traffic of one such subsidiary. The breach was rectified and the institution is now functioning normally.
Barac continues to monitor the encrypted traffic, looking for further advanced attacks.