Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Billion Dollar Hacking

Billion Dollar Hacking

A talk at hillhacks 2016 on the recent Bangladesh Bank heist.

23ba88cffe8cd1c2f0be64b3d40777be?s=128

Nemo

May 29, 2016
Tweet

Transcript

  1. @captn3m0 hillhacks 2016 Billion Dollar Hacking

  2. Who? Nemo (@captn3m0) I do payment security at @Razorpay

  3. What? $101 M stolen $850 M recovered Almost a billion

    dollars :)
  4. None
  5. How? Fraudulent SWIFT transactions

  6. Who? From Bangladesh Bank To Federal Reserve Bank of NY

    Sri Lanka, Philippines Bank (RCBC)
  7. How Again?

  8. How (2)

  9. The patch The malware enumerates all processes, and if a

    process has the module liboradb.dll loaded in it, it will patch 2 bytes in its memory at a specific offset. The patch will replace 2 bytes 0x75 and 0x04 with the bytes 0x90 and 0x90.
  10. liboradb.dll SWIFT's Alliance software suite (powered by Oracle Database): •

    Reading the Alliance database path from the registry; • Starting the database; • Performing database backup & restore functions.
  11. SQL Hacking 1. Find relevant SWIFT transfers 2. Manipulate them

    SELECT MESG_S_UMID FROM SAAOWNER.MESG_%s WHERE MESG_SENDER_SWIFT_ADDRESS LIKE '%%% s%%' AND MESG_TRN_REF LIKE '%%%s%%'; The MESG_S_UMID is then passed to DELETE statements, deleting the transaction from the local database. DELETE FROM SAAOWNER.MESG_%s WHERE MESG_S_UMID = '%s'; DELETE FROM SAAOWNER.TEXT_%s WHERE TEXT_S_UMID = '%s';
  12. sudo make me a millionaire UPDATE SAAOWNER.MESG_%s SET MESG_FIN_CCY_AMOUNT =

    '%s' WHERE MESG_S_UMID = '%s'; UPDATE SAAOWNER.TEXT_%s SET TEXT_DATA_BLOCK = UTL_RAW. CAST_TO_VARCHAR2('%s') WHERE TEXT_S_UMID = '%s';
  13. Printer Hacking The malware intercepts the confirmation SWIFT messages and

    then sends for printing the 'doctored' (manipulated) copies of such messages in order to cover up the fraudulent transactions. To achieve that, the SWIFT messages the malware locates are read, parsed, and converted into PRT files that describe the text in Printer Command Language (PCL).
  14. What next? 1. $850 Million was recovered because Fed Bank

    noticed the fraudulent transactions 2. SWIFT is calling for an update to the Bank network security a. We have made a mandatory software update available to customers to help them enhance their security and to spot inconsistencies in their local database records. 3. Other Banks have been targeted by the same vulnerability as well 4. The Treasurer of RCBC has resigned, and the manager of one of its branches is facing criminal charges after she withdrew $427,000 from an account linked to the theft. 5. Bangladesh Bank chief governor Atiur Rahman resigned from his post
  15. References 1. http://baesystemsai.blogspot.in/2016/04/two-bytes-to-951m.html 2. http://arstechnica.com/security/2016/04/billion-dollar-bangladesh-hack- swift-software-hacked-no-firewalls-10-switches/ 3. https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist 4. http://www.nytimes.com/2016/05/27/business/dealbook/north-korea-

    linked-to-digital-thefts-from-global-banks.html?_r=0 5. http://www.smh.com.au/business/banking-and-finance/printer-error-foiled- billiondollar-bank-heist-20160317-gnljm4.html 6. http://www.reuters.com/article/us-usa-nyfed-bangladesh-malware-exclusiv- idUSKCN0XM0DR