Professional Information Security Association
SEP-2018
PISA Journal
Crunching the numbers in Central Bank Hack Impact Analysis Ransomware leverage RDP in attacks
www.pisa.org.hk
Issue
28
Special Topics 05 Crunching the numbers in Central Bank Hack Impact Analysis 12 Cybersecurity Alert: Ransomware leverage RDP in attacks
Page 2 of 24
An Organization for Information Security Professionals
Editor: editor@pisa.org.hk
Copyright
ďƒ“ 2018
Professional Information Security Association
Intranet 04 20 21 30
Page 3 of 24
Message from the Chair The Editorial Board Event Snapshot Joining PISA
A Publication of Professional Information Security Association
Professional Information Security Association
Message from the
Chairman money notes are not with our pocket, they are in our store value card, mobile phone or electronic wallet which we are relying the financial institutions to safeguard for us. However, banks themselves are also in trouble. Not only commercial banks are facing with threats from hacker attacks, Central Bank being the strongest financial authority in a country, still cannot get rid of such cyber security risks as quoted in Patrick Liu’s article in this issue. Many Small and Medium Enterprises (SMEs), are exposed to the challenges of ransomware attacks, likewise for individuals.
M
oney, Money, Money…..It is a Hacker’s World?
In economic text books, money is having its functions as the medium of exchange, unit of account, and store of value. In the last decade, when we talked about money, we were mentioning the physical money notes in our pocket or the numbers printed in our bank account statement. While we would personally secure the physical money from our wallets to avoid being stolen by thief, we trusted our banks with safe, security guards, etc. physical countermeasures to protect our wealth entrusted to them.
As stated in our PISA vision statement, being professional information security practitioners, we should utilise our expertise and knowledge to help bring prosperity to the society in the Information Age. While we need to deliver our expertise in the workplace to our employers to keep our living, I urge you as our PISA/(ISC)2 HK chapter members to contribute your time and professional knowledge to share with fellow members and the Community. Together let us make a Safer World for transactions and keep people away from the threat of hackers!
The world has changed. Nowadays, most of our
Page 4 of 24
An Organization for Information Security Professionals
Ando Ho Chairman
SEP-2018
Crunching the numbers in
Central Bank Hack Impact Analysis
Patrick Liu CISSP, ISSAP, CISA, CRISC, CGEIT, CIA, ABCP Patrick is currently the Deputy CISO of DBS Bank (Hong Kong) Ltd. with over 20 years of IT and Security experience. He was awarded the Hong Kong Cyber Security Professionals Awards in 2017 and ISC2 Information Security Leadership Asia Award 2018 in recognition of his commitment in the field.
Page 5 of 24
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
Most of you should still remember the Bangladesh Central Bank hacking incident in February 2016. Apart from interesting technical lesson learnt, the incident did not seem to have immediate threat to us. Most of us in Hong Kong were not be involved in this incident at all. Bangladesh was not the first Central Bank has cybersecurity incident. In 2013, USD$13.3 million was stolen from the account of the city of Riobamba at the Banco Central del Ecuador.[1] There were a few more cases, Swaziland, Bangladesh, Italy, Russia and most recently Malaysia.[2] As I work in a financial institution, all these cases worth me to do an analysis on their impact to the financial sector in Hong Kong. Bangladesh incident is a classic textbook scenario for lesson to learn. We have seen a lot of technical post mortem analysis report. In this paper, we will discuss from risk perspective.
Image credit: https://www.bankinfosecurity.com/report-swift-hacked-by-bangladesh-bank-attackers-a-9061
[1] Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment from IMF [2] https://www.reuters.com/article/us-malaysia-cenbank-cybersecurity-incide/malaysian-central-bank-saysfoiled-attempted-cyber-heist-idUSKBN1H50YF
Page 6 of 24
An Organization for Information Security Professionals
SEP-2018 Crunching the numbers in Central Bank Hack Impact Analysis
Issue
28
Table 1:Recent cyber attacks on central banks
Regulatory Impact A Philippine Bank was involved in the Bangladesh incident. The Philippine Bank was utilised by cyber criminals to channel US$81 million stolen from Bangladesh Bank. The local regulator (Bangko Sentral ng Pilipinas) has issued US$21 million fine to the Philippine Bank. It is about 25% of the fraudulent transaction.
Page 7 of 24
If we take an average of disclosed unrecoverable transaction of central bank hacks over the last few years, it is about US$ 30 million dollar. Thus, the regulatory impact value at risk can be calculated as (US$30 million x 25%) = US$ 7 million dollar.
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
Central Bank & Related Service
Reported Date
Involved Transaction (US$)
Unrecovered Loss (US$)
Ecuador
2013
Unknown
13 Million
Bangladesh
Feb, 2016
101 Million
81 Million
Accounts at Russian Central Bank
Dec, 2016
50 Million
22 Million
Malaysia
Mar, 2018
Not disclosed
0 Million
Mexica domestic payment network [3]
May, 2018
15 Million
Not disclosed
Table 2: Incident Monetary Impact
Subsequent Legal Impact In February 2018, the Bangladesh’s finance minister said the Bangladesh’s central bank will file a lawsuit in New York against a Philippine bank over the world’s largest cyber heist. The story is still under development. It is not common to see a central bank to sue an organization. However, we know this kind of lawsuit will take years and enumerated resources. To quantify this risk, we can reference similar cyber incident lawsuit between two financial institutions. In 2015, Banco del Austro in Ecuador transferred US$12 million
fraudulent transaction to Wells Fargo. The Ecuadorian Bank filed a lawsuit in a US court to accuse Wells Fargo of failing to recognize and stop the fraudulent transactions. Wells Fargo quietly settled the case in February 2018 [4]. I am not a legal professional and the settlement amount was not disclosed, so we only can estimate the amount of this settlement. Let’s assume it’s about 15% of the fraudulent transaction with consideration on the sound security measures of Wells Fargo. Therefore, the estimated value at risk is (US$30 million x 15%) = US$4.5 million.
[3] https://fronterasdesk.org/content/640809/millions-dollars-lost-mexico-after-bank-hacking [4] https://www.reuters.com/article/us-cyber-heist-bangladesh/bangladesh-eyes-settlement-in-u-s-cyber-heist -suit-ahead-of-its-own-case-idUSKBN1HN1MZ
Page 8 of 24
An Organization for Information Security Professionals
SEP-2018 Crunching the numbers in Central Bank Hack Impact Analysis
Central Bank Hack Aggregated Impact The combined impact is (US$7 million + US$4.5 million) = US$ 11.5 million. Like credit risk and liquidity risk, we based on historical data and educated estimation to quantify a risk. By translating a cyber security risk to a language our business head can understand, they can fulfil their responsibility to evaluate the adequacy of cybersecurity controls. The next million question your management will ask would be, “which is the next central bank we should be aware of?” This is also the most difficult part of a risk practitioner. When a risk surfaced to executive management level, they will always demand an actionable item to address the risk. The next paragraph I will share how we suggest an actionable item.
Who will be hackers’ next target?
Issue
central bank hacker. The second thing a hacker will consider is “don’t get caught”, thus, they are looking for easy target. What is the minimum financial gain to motivate a hacker? The easy way is benchmark the financial background of known victims. How do we know how wealthy a central bank is? According to World Bank and International Monetary Fund, we can have an idea on the reserve of the central banks globally.[5] The total reserves (excluding gold) in 2017 are: ●
Ecuador: US$1.7 billion
●
Bangladesh: US$33 billion
●
Russia: US$356 billion
●
Malaysia: US$101 billion
●
Mexico: US$170 billion
Ecuador has the lowest reserve and Russia has the highest one. Therefore, we can benchmark US$30 billion as the threshold to be a potential hacker’s target. It is a number just below the hacked Bangladesh Central Bank.
To understand who the next victim will be, we need to think like a hacker. Financial gain is surely the number one intention of a [5] Total reserves minus gold (current US$), IMF International Financial Statistics and data files https://data.worldbank.org/indicator/FI.RES.XGLD.CD?view=chart
Page 9 of 24
28
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
How to quantify “easy” target? “Easy” is an intangible concept. Thanks to International Telecommunication Union (ITU) under the United Nation which did an analysis based on 25 indicators and 157 questions to define the Global Cybersecurity Index (GCI) 2017 [6] for their member states. The research covered different aspects of cybersecurity (legal, technical, orCountry
Country Maturity Level reserves (US$ Billion)
ganizational, capacity building and cooperation). The report classified the countries into three different cybersecurity maturity levels (Initiating, Maturing and Leading). Counties falling under Initiating and Maturing levels should be of interest to our analysis as they are less mature in cyber security, implying that they are easier to hack in hackers’ eyes.
Country
Country Maturity Level reserves (US$ Billion)
Algeria
97
Maturing
Malaysia
100
Maturing
Argentina
53
Maturing
Mexico
170
Maturing
Bangladesh
32
Maturing
Peru
62
Maturing
Brazil
371
Maturing
Philippines
73
Maturing
China
3158
Maturing
Romania
40
Maturing
Colombia
46
Maturing
Russian Federation
356
Maturing
India
389
Maturing
South Africa
45
Maturing
Indonesia
128
Maturing
Thailand
196
Maturing
Iraq
45
Maturing
Turkey
84
Maturing
Lebanon
43
Maturing
Vietnam
49
Initiating
Libya
74
Initiating
Table 3: Bank Reserve VS. Cybersecurity Maturity Level in
[6] Global Cybersecurity Index (GCI) 2017 https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf
Page 10 of 24
An Organization for Information Security Professionals
SEP-2018 Crunching the numbers in Central Bank Hack Impact Analysis
By matching these two data sources, we have the following countries that fall under our focus criteria. .
Libya and Vietnam ar e classified as “initiating” cybersecurity maturity level and with bank reserve above the threshold level. Therefore, they should be our primary focus countries that are the next potential targets of attacks. We have quantified and narrowed down our focus area which we can define our action item against those focused countries.
Conclusion
Copyright & Disclaimer
When we conduct cyber security impact analysis we usually found that qualitative assessment are not convincing enough for non-technical audience. Different board member will have different perspectives in interpretation of impact. Numbers can help in this case. However, there are a lot of missing puzzles in getting the numbers right. My example here demonstrated how to make educated guess based on authoritative sources and subjective data. Hope it is useful to the readers. Patrick Liu ■
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 11 of 24
A Publication of Professional Information Security Association
Professional Information Security Association
Cybersecurity Alert:
Ransomware leverage RDP in attacks
Hong Kong SMEs’ Internet facing RDP connections are subject to brute force attacks. Compromised systems may be planted with ransomware after sufficient data has been collected.
Frankie Li Chief Security Analyst - DAT Frankie Li is the Chief Security Analyst at Dragon Advance Tech (DAT). He had been a speaker in various security conferences: US Blackhat, Cyber Security Consortium (HK), HITCON (Taiwan), (ISC) 2 Security Congress (APAC), CyberCrimeCon 2018 (Russia) and High-Tech Crime Investigation Association (HTCIA, APAC) and Founder of Dragon Threat Labs, DragonCon.
Page 12 of 24
An Organization for Information Security Professionals
SEP-2018 Cybersecurity Alert: Ransomware leverage RDP in attacks
Many SMEs in Hong Kong their IT support to external IT service companies Those ad-hoc IT teams tend to deliver their IT maintenance services through RDP (Remote Desktop Protocol) to the clients’ computers from their Internet facing devices. We observed that many Internet facing RDP connections are subject to brute force attacks and compromised systems were planted with ransomware after sufficient data has been collected.
Recently, the Computer Security Incident Response Teams from Dragon Advance Tech observed several incidents of ransomware reports from Hong Kong SMEs during September and October 2018. Coincidentally, in the same period of 2017, HKCERT also identified 18 infection cases[1] of the ransomware called Crysis from domestic victims including a school.
published in November 2017 by Panda Security.[4] Lawrence Abrams of Bleeping Computer provided a general description of the ransomware “When the ransomware is installed, it will scan the computer for certain file types and encrypt them. The encrypted file will append with an extension in the format of .id-[id].[email].arena” . [5]
The Crysis ransomware was identified by Malekal_morte [2], Trend Micro [3] in early 2017 and further confirmed by Bleeping Computer in August 2017. A detailed reverse engineering report of the ransomware was
In some of our investigated cases, the extension changed to .id-[id]. [email].bip. Normally, ransomware is infected through spamming emails, drive-by-
[1] https://www.hkcert.org/my_url/en/blog/17110901 [2] http://forum.malekal.com/viewtopic.php?t=54445&start= [3] https://blog.trendmicro.com/trendlabs-security-intelligence/brute-force-rdp-attacks-plant-crysis-ransomware/
Page 13 of 24
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
downloads, malvertisment with exploit kits or self-propagation like WannaCry. Typical ransomware authors will try to distribute the ransomware to large number of potential victims spontaneously for maximizing their financial gains. Usually these ransomwares do not require a persistence mechanism.
However, these Crysis cases are different because this ransomware was usually planted manually onto the victim systems through RDP access. In one of the cases we investigated, the attacker first brute-forced the RDP login from a Swedish IP address, planted the malware together with mimikatz (a password collection utility) and generated some text files with names like “good.txt”, “IP.txt”, “servers.txt”, “settings.ini” and “credentials.txt” before launching the ransomware. We cannot verify how much and what kinds of information have been harvested by the attackers because the log files
Page 14 of 24
were also encrypted by the ransomware. We also found that this ransomware uses several persistence methods to ensure it will start up on the next computer reboot.
We believe the victims’ computing systems were actually being hacked first, and after gaining initial access, the attacker collected more information during their lateral movements and finally launched the ransomware for financial gain.
This is not common in most ransomware cases.
To the best of our knowledge, most of these cases are not being investigated and the victims are usually SMEs or NGOs. These organizations have a limited budget to appoint a cybersecurity professional, and some even do not have a full time IT staff to handle their IT support duties. Hence, ad hoc
An Organization for Information Security Professionals
SEP-2018
Issue Cybersecurity Alert: Ransomware leverage RDP in attacks
or out-sourced IT staff are appointed to perform maintenance remotely, usually through RDP. These outsourced IT staff tend to use the same (and usually weak) passwords for accessing all their clients’ internetfacing devices, such as routers or firewalls. A forwarding RDP rule will then be created to access one of the client’s always-on machines, usually a server (such as a file server), which then allows the IT staff member to connect to the client’s network for performing their maintenance tasks.
The SME clients have no knowledge on how these RDP accounts are created, nor the weak passwords used for RDP and routers/firewalls.
Hong Kong SMEs’ management has a common misconception that if they
28
have purchased a firewall and their desktop machines are installed with anti-virus solutions, then their computer networks and systems will be secured.
HKCERT has published prevention and mitigation guidelines[6] on protection against ransomware.
To protect against attacks like Crysis or attackers who brute-force open Internet facing remote administration services (such as: RDP, TeamViewer or VNC), we advise Hong Kong SMEs to put in additional countermeasures, such as proper configuration of security technologies and security incident monitoring, to their network protection. Internet facing devices should be protected by strong passwords, and with all logging functions turned on. Internet-accessible
[4] https://www.pandasecurity.com/mediacenter/src/uploads/2017/11/Ransomware_Crysis-Dharma-en.pdf [5] https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/ [6] https://www.hkcert.org/ransomware.hk/ransomware-basic.html
Page 15 of 24
A Publication of Professional Information Security Association
Professional Information Security Association
RDP services should be turned off unless they are necessary. In case RDP is absolutely necessary, it should be made available on an ondemand basis (i.e. turn it on only on request and shut it down immediately after remote administration works are completed).
.
If any security incidents happen, appoint a qualified cybersecurity professional as quickly as possible to review and contain the attacks, and/ or implement a continuous security monitoring service for better protection because:
“IT CAN HAPPEN TO ANYONE AND MAY HAPPEN AGAIN” Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 16 of 24
Frankie Li ■
An Organization for Information Security Professionals
SEP-2018
PISA Journal The Editorial Board
SC Leung CISSP CCSP CISA CBCP
Joyce Fan CISSP CRISC CISA
Ian Christofis CISSP
Alan Ho CISSP CISA CISM CGEIT
You can contribute to PISA Journal by: ●
●
Joining the Editorial Board Submitting articles to the Journal
SC Leung, Chief Editor editor@pisa.org.hk Next Issue: Issue 29 (Mar-2019)
Page 17 of 24
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
PISA Security Jam 2018 (26 May 2018) PISA organized the second PISA Jam, a 1-day conference to gather security buddies to share their research.
Discussion on Road to the Future in HK Information Security profession.
Sharing forum by security professionals.
Page 18 of 24
Organising Committee of PISA Jam with Guests and Speakers
An Organization for Information Security Professionals
Professional Information Security Association
Event Snapshot We Contribute. We Achieve.
PISA Security Jam 2018 (26 May 2018) Presentations on Threat Intelligence, Exploring recently developed applications to the IT Security Industry, Bypassing ModSecurity WAF.
CASB implementation and showcase, DevOps Jam on Aqua, First touch on Security and Forensics Continuous Workshop, Reverse Engineering: from CTF to Real-world - on Android app reverse engineering.
Page 19 of 24
An Organization for Information Security Professionals
SEP-2018
Event Snapshot We Share. We Progress.
(ISC)2 APAC Security Congress and ISLA 2018 @ Hong Kong (9-10 July 2018) The (ISC)2 APAC Security Congress 2018 was held in Hong Kong, together with the (ISC)2 Information Security Leadership Achievements Asia-Pacific (ISLA Asia-Pacific) 2018 Award Presentation Ceremony at the Conrad Hotel.
Page 20 of 24
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Contribute. We Achieve.
PISA AGM cum Feature Talk: Road to Defcon (25 Aug 2018) Captain shared us his journey in DefCon 26. Our Chairperson presented gift to thank you his sharing and continued support to PISA
Our Chairperson presented a gift for Captain for his sharing.
This is a group photo for PISA members in the AGM.
After a competitive election, PISA Executive Committee (EXCO) 2018/2019 was formed. This is a group photo for PISA EXCO members.
Page 21 of 24
An Organization for Information Security Professionals
SEP-2018
Event Snapshot We Share. We Progress.
Information Security Summit 2018 (4-5 September 2018)
PISA was one Organiser of the 2-day Information Security Summit 2018 held in the HKCEC. Below was a photo of the Organisers with the VIPs, Mr. Victor Lam, GCIO (front row middle), Hon. Charles Mok, IT Legislator (front row, 2nd from left), and Mr. Willy Lin, Chairman of HKPC (front row, 4th from left).
Page 22 of 24
A Publication of Professional Information Security Association
SEP-2018
Event Snapshot We Contribute. We Achieve.
PISA Speakers spoke in the local community
Frankie Leung (7th from left) spoke in the CLP Security Forum 2018 on 11 September 2018.
Page 23 of 24
A Publication of Professional Information Security Association
Professional Information Security Association
Professional Information Security Association Vision to be the prominent body of professional information security practitioners, and utilize expertise and
Successful Career
Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.
Many Ways
Networking
Continued Education
Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical information and ideas for keeping your knowledge up to date
Check out job listings information provided by members. Get information on continuing education and professional certification
Sharing of Information Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.
Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.
You Can Benefit
Membership Information
Realize Your Potential
Professional Recognition
Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, Mobile Security, Cloud Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials
Benefit from the immediate access to professional recognition by using post-nominal designation
Membership Requirements Enquiry email: membership@pisa.org.hk
Membership Application Form: http://www.pisa.org.hk/ membership/member.htm
Code of Ethics: http://www.pisa.org.hk/ ethics/ethics.htm Page 24 of 24
• •
Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association An Organization for Information Security Professionals