Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Saturday, 27 May, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

African Bank Foils Sophisticated Cyberattack; North Korea Implicated.

by The Gurus
August 14, 2019
in Security News
African Bank Foils Sophisticated Cyberattack; North Korea Implicated.
Share on FacebookShare on Twitter

UK cybersecurity specialist Barac today unveiled details of how, in May 2019, it identified a sophisticated cyberattack targeting a major African-headquartered financial institution. At the time the attack was identified, hackers had infiltrated the bank’s infrastructure and had begun to make a small number of low-value transactions to other banks located in Bulgaria. Elements of the attack were encrypted in an attempt to evade detection; the encrypted certificates used were signed in North Korea.

How the compromise was spotted

The compromise was identified when Barac spotted suspicious, reoccurring patterns in the metadata of a small proportion of the encrypted traffic leaving the bank’s head office network.

On inspection, this traffic was all destined for the same Domain Name Server (DNS) in Bulgaria, and always made use of the same cipher suite. Each session was open for exactly the same duration and contained unusually high volumes of data.

In addition, while the DNS was registered in Bulgaria, its certificates were signed in North Korea.

Thwarting the attack during its test phase

Having flagged this encrypted traffic as suspicious, is was isolated in a sandbox and decrypted. It was then identified as command and control (C+C) traffic between malware, which had already compromised the bank’s network, and the Bulgarian-based server.

The bank then undertook a full security audit of its infrastructure. It discovered that malware had infected a number of endpoints at its headquarters, and that a small number of identical, low-value transactions had been made to other banks – again, located in Bulgaria – via the SWIFT Payments infrastructure. It is believed that these small payments were made to test the exfiltration mechanism of the attack, with the hackers fully expected to attempt the extraction of larger amounts at some future date.

Further investigations also detected similar encrypted C+C traffic hidden inside encrypted traffic flows leaving the bank’s operations in one of its Southern African subsidiaries.

“This was an extremely sophisticated, multi-faceted, and diligently-planned attack on a high-value target, which contained some very clear indications of North Korean involvement,” said Omar Yaacoubi, founder and CEO of Barac. “The hackers were using encryption is a particularly clever way. Knowing that the bank would, quite rightly, decrypt all of the data leaving its organisation, they buried their ‘command and control’ calls home in these traffic flows, in the hope that they would evade detection. Unfortunately for them, it didn’t work, and by identifying this suspicious traffic, the whole plot was blown wide open before any major harm could be done to the bank or its customers.”

More details of this compromise are available on Barac’s blog.​

The challenge of scanning encrypted traffic for cyberthreats

Organisations are increasingly turning to encryption to improve their security posture and to comply with industry regulations. However, this does present a new problem: how to scan this traffic to identify and block threats.

The most commonly-used method requires organisations to decrypt all the traffic entering and leaving their networks, before scanning and re-encrypting it. However, this approach raises concerns around compliance, scalability, certificate management and latency. Hackers understand the challenges organisations face with this approach, so are increasingly turning to encrypted traffic flows as a vector of attack.

An alternative method – as adopted by this bank in this instance – is to scan the metadata of the encrypted traffic, using behavioural analytics and artificial intelligence to understand normal traffic patterns, and to alert on any anomalies. By looking at hundreds of different metrics in combination, Barac is able to risk score each encrypted traffic session, all in real-time without the need for decryption. This incident was considered ‘high-risk.’

“For many organisations, it simply isn’t feasible to decrypt all of the encrypted traffic traversing their networks in order to check for threats; it has too big a hit on network performance and could put them in breach of compliance regulations,” continued Yaacoubi. “However, by using behavioural analytics to assess traffic metadata, it’s possible to scan all encrypted traffic for malware without embarking on the cumbersome process of decryption. This means every data packet can be scrutinised for malware before it enters or leaves the network. It was this very granular approach that caught out the hackers on this occasion.”

FacebookTweetLinkedIn
ShareTweet
Previous Post

Checklist For Third Party Risk: Key Considerations For Businesses To Safeguard Their Data.

Next Post

CyberArk Unveils Industry’s Most Complete SaaS Portfolio For Privileged Access Security.

Recent News

SnapDragon Monitoring scam advice

Tips to Protect Against Holiday and Airline Scams

May 25, 2023
Access Segmentation & Encryption Management from MyCena

New security model launched to eliminate 95% of cyber breaches

May 25, 2023
KnowBe4 Helps Organisations Battle QR Code Phishing Attacks With New Tool

KnowBe4 Helps Organisations Battle QR Code Phishing Attacks With New Tool

May 25, 2023
Purple Logo, capitalised letters: SALT.

Salt Security Uncovers API Security Flaws in Expo Framework, Issues have been Remediated

May 24, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information