Brazilian bank customers targeted after hackers compromise all of the bank's domains

Let's Encrypt accused of issuing the digital certificates that helped the hackers

Hackers compromised a 500-branch Brazilian bank so thoroughly that they controlled its email infrastructure, were able to use a modified penetration testing tool to remove security products from the network, and could serve-up malware to customers visiting any one of the bank's 36 domains.

Furthermore, customers remained unsuspecting thanks to free digital certificates acquired from Let's Encrypt, which helped the attackers maintain a veneer of legitimacy to the compromised websites after taking control. The attackers remained in the bank's network for as long as three months.

Perhaps most disturbing of all, according to security researchers at Kaspersky, the bank is just one of ten around the world that has been almost totally compromised in a comprehensive cyber attack.

The attack was detailed by Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev at this week's Kaspersky Security Analyst Summit.

Security researchers were called in after customer complained that the bank's website was delivering malware - a Java file tucked inside a compressed archive, which tried to redirect visitors to a website from where the malware was dropped.

"All domains, including corporate domains, were in control of the bad guy," said Assolini. That meant online, mobile, point-of-sale, financing and acquisitions - the whole lot.

The malware had eight modules, including configuration files with bank URLs, update modules, credential-stealing modules for Microsoft Exchange, Thunderbird, and the local address book, and internet banking control and decryption modules. All of the modules, the researchers claimed, were talking to a command and control server in Canada, according to Kaspersky.

At the same time, the attackers used a modified version of Avenger, a legitimate penetration testing tool used to remove rootkits, in order to remove security software from targeted devices on the bank's network.

"The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries," said Bestuzhev. The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.

The Kaspersky researchers believe that the attack was long planned - the certificates had been registered at least five months in advance. Spear-phishing emails were also found targeting local companies.

The researchers believe that the attackers used a spear-phishing exercise on the bank in order to gain an entry point, prior to the full-scale attack. It appears that the attackers were able only briefly to re-direct traffic to their servers, although Kaspersky suggests that they weren't far from completing a full compromise of the bank.

"Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad," said Bestuzhev. "If DNS was under control of the criminals, you're screwed."

Organisations should therefore maintain extra security - and vigilance - around their DNS infrastructure, as well as adopting the two-factor authentication offered by most DNS registrars.

"Cybercriminals can now steal money by taking advantage of the one security measure every Internet user has been trained to trust: the green padlock in web browsers," said Kevin Bocek, chief cyber-security strategist at key management security company Venafi.

He continued: "These padlocks are supposed to signify a trusted digital certificate is in use, but now bad actors can obtain them for free. This attack is part of a much larger problem that jeopardises the system of trust behind all digital commerce. Security professionals don't understand the scale and scope of this problem and they don't have the tools they need to control it."

Kaspersky's warning comes just over a year after Bangladesh's central bank was targeted in a bank-transfer scam that could have netted the perpetrators almost $1bn. The finger of blame in that attack is expected to be pointed at North Korea.

The global banking payments network SWIFT later revealed that several other banks had been targeted in the same way, and warned banks to tighten up their security - or risk losing access to SWIFT.

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!