Pen testers find weaknesses in banks’ cyber security

Banks have formidable barriers to external cyber attacks, but some are still vulnerable to internal attacks using social engineering, vulnerabilities in web applications and the help of insiders, a report reveals.

As soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries, according to a report on cyber attacks on banks by Positive Technologies.

The weakest link in bank security is the human factor, the report said, with attackers able to bypass the best-protected network perimeter easily with the help of phishing.

Phishing messages can be sent to bank employees both at their work and personal email addresses, and this method for bypassing the network perimeter has been used by almost every criminal group, including Cobalt, Lazarus, Carbanak, Metel, and GCMAN, the report said.

In tests by Positive Technologies, employees at 75% of banks reviewed had clicked on links in phishing messages, and those at 25% of banks entered their credentials in a fake authentication form. At 25% of banks, at least one employee ran a malicious attachment on their work computer.

With access to the internal network of client banks, Positive Technologies penetration testers succeeded in obtaining access to financial applications in 58% of cases.

At 25% of banks, they were able to compromise the workstations used for the management of automatic teller machines (ATMs), which means the banks tested were vulnerable to techniques similar to ones used by Cobalt and other cyber criminal gangs in actual attacks.

Moving money to criminal-controlled accounts through interbank transfers, a favourite method of the Lazarus and MoneyTaker groups, was possible at 17% of tested banks, while at the same proportion of banks, card processing systems were poorly defended, which would enable attackers to manipulate the balance of card accounts. Such attacks were recorded in early 2017 against banks in Eastern Europe.

The Carbanak group, notorious for its ability to attack nearly any bank application, would have been able to steal funds from more than half of the tested banks, the report said. It added that on average, an attacker able to reach a bank’s internal network would need only four steps to obtain access to key banking systems.

Although the report notes that banks tend to do a better job than other companies of protecting their network perimeter, it is still a concern that penetration testers could access the internal network at 22% of banks, compared with 58% of all companies tested.

In all test cases, social engineering was not used and access was enabled by vulnerabilities in web applications, with such methods used in the wild by such Groups as ATMitch and Lazarus, the report said.

Penetration testers concluded that banks are at risk due to remote access, describing it as “a dangerous feature” that often leaves the door open to access by external users.

The most common types are the SSH (secure shell) and Telnet protocols, which are present on the network perimeter of over half of banks, as well as protocols for file server access, found at 42% of banks.

Another key finding of the report is that attackers often gain access to banks’ internal networks by compromising business partners and contractors, who may poorly secure their networks, and place malware on sites known to be visited by bank employees, as seen with Lazarus and Lurk.