UK cybersecurity specialist Barac today unveiled details of how, in May 2019, it identified a sophisticated cyberattack targeting a major African-headquartered financial institution. At the time the attack was identified, hackers had infiltrated the bank’s infrastructure and had begun to make a small number of low-value transactions to other banks located in Bulgaria. Elements of the attack were encrypted in an attempt to evade detection; the encrypted certificates used were signed in North Korea.
How the compromise was spotted
The compromise was identified when Barac spotted suspicious, reoccurring patterns in the metadata of a small proportion of the encrypted traffic leaving the bank’s head office network.
On inspection, this traffic was all destined for the same Domain Name Server (DNS) in Bulgaria, and always made use of the same cipher suite. Each session was open for exactly the same duration and contained unusually high volumes of data.
In addition, while the DNS was registered in Bulgaria, its certificates were signed in North Korea.
Thwarting the attack during its test phase
Having flagged this encrypted traffic as suspicious, is was isolated in a sandbox and decrypted. It was then identified as command and control (C+C) traffic between malware, which had already compromised the bank’s network, and the Bulgarian-based server.
The bank then undertook a full security audit of its infrastructure. It discovered that malware had infected a number of endpoints at its headquarters, and that a small number of identical, low-value transactions had been made to other banks – again, located in Bulgaria – via the SWIFT Payments infrastructure. It is believed that these small payments were made to test the exfiltration mechanism of the attack, with the hackers fully expected to attempt the extraction of larger amounts at some future date.
Further investigations also detected similar encrypted C+C traffic hidden inside encrypted traffic flows leaving the bank’s operations in one of its Southern African subsidiaries.
“This was an extremely sophisticated, multi-faceted, and diligently-planned attack on a high-value target, which contained some very clear indications of North Korean involvement,” said Omar Yaacoubi, founder and CEO of Barac. “The hackers were using encryption is a particularly clever way. Knowing that the bank would, quite rightly, decrypt all of the data leaving its organisation, they buried their ‘command and control’ calls home in these traffic flows, in the hope that they would evade detection. Unfortunately for them, it didn’t work, and by identifying this suspicious traffic, the whole plot was blown wide open before any major harm could be done to the bank or its customers.”
More details of this compromise are available on Barac’s blog.
The challenge of scanning encrypted traffic for cyberthreats
Organisations are increasingly turning to encryption to improve their security posture and to comply with industry regulations. However, this does present a new problem: how to scan this traffic to identify and block threats.
The most commonly-used method requires organisations to decrypt all the traffic entering and leaving their networks, before scanning and re-encrypting it. However, this approach raises concerns around compliance, scalability, certificate management and latency. Hackers understand the challenges organisations face with this approach, so are increasingly turning to encrypted traffic flows as a vector of attack.
An alternative method – as adopted by this bank in this instance – is to scan the metadata of the encrypted traffic, using behavioural analytics and artificial intelligence to understand normal traffic patterns, and to alert on any anomalies. By looking at hundreds of different metrics in combination, Barac is able to risk score each encrypted traffic session, all in real-time without the need for decryption. This incident was considered ‘high-risk.’
“For many organisations, it simply isn’t feasible to decrypt all of the encrypted traffic traversing their networks in order to check for threats; it has too big a hit on network performance and could put them in breach of compliance regulations,” continued Yaacoubi. “However, by using behavioural analytics to assess traffic metadata, it’s possible to scan all encrypted traffic for malware without embarking on the cumbersome process of decryption. This means every data packet can be scrutinised for malware before it enters or leaves the network. It was this very granular approach that caught out the hackers on this occasion.”