Hundreds of millions of pesos have been stolen from major banks in Mexico through fraudulent orders during April of this year, sources close to the Mexican government told Reuters. In response to the fraud spree that utilized hundreds of false orders, Mexico’s central bank announced that it is creating a cyber security unit that “would design and issue guidelines on information security for the country’s banks.”
This announcement is a good sign but to F-Secure’s Vitor Vianna it shows that these financial institutions are “very late to the game.”
“Banks are supposed to be the beacons of cybersecurity capabilities,” he said. “The fact the banks seem so lost on these attacks shows they have no visibility on their attack surfaces.”
Attacks on banks have been international news since at least 2016, when a cyber heist on Bangladesh’s central bank yielded $81 million through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. The thieves’ booty could have been more than 10 times bigger, as much as $950 million, if not for a typo. Similar SWIFT attacks have hit both a Ukrainian bank and Ecuador’s Banco del Austro.
Using email, networking hacking and command and control through throwaway HTTP/S domains as an attack vector, the attackers breach the bank’s network, obtain domain credentials and move from computer to computer until they find SWIFT access. Once the operator credentials for a SWIFT account are discovered, the criminals start issuing transfer messages.
“It’s not a question of if you’ll be breached but when. What banks and all businesses need is a way to know very quickly if they have been breached very quickly,” Vitor said. “These banks may not have been ready to respond to these attacks nearly as quickly as they should be.”
Unfortunately, as endpoint security gets better and better at protecting against commoditized attacks, human-conducted cyber-attacks will become more and more frequent, especially when criminals see successful attacks like the ones in Mexico.
And too many businesses do not have proper visibility on their networks.
“This becomes obvious when we ask potential customers ‘Can you guarantee you do not have this CVE-2018-4878 vulnerability present in your environment?’ and no one can answer that.”
This unpatched bug can leave your business vulnerable to a typical watering hole attack.
“Businesses that don’t want to see their names in headlines need detection and response services provided by an expert partner to prepare for cyber attacks before and after they happen,” Vitor said.