This latest document from notorious hacker Phineas Phisher, along with a leaked report from PwC, shows how easy it is for a bank to be hacked and defrauded.
You might think that stealing money from a bank is tough – you need to gain access to the network, figure out how money is transferred, what security they use, what monitoring is in place, and how to insert your own transactions into the process.
But the recently-released “how-to” manifesto from Phineas Phisher documents every step taken as he opportunistically hacked the Cayman National Bank back in 2016. Using little more than a network scan looking for VPNs with a known vulnerability, Phisher was able to gain access to the bank. He was able to maintain access without detection for months even before attempting his first transaction. According to a leaked forensics report from PwC (WARNING: the link points to a PDF that some AV solutions don’t trust… proceed with caution), Phisher was about to compromise seven systems, leverage internal credentials, and attain “unrestricted administrative access” to the bank’s network.
According to Phisher, the only reason he picked this bank is because he got a hit on his network scan, saw it was a Cayman bank, and “thought it would be fun”. Scary stuff.
Banks looking to protect themselves from such attacks should consider the following precautions:
- Patch all known vulnerabilities. Vulnerability scanning and management would also be appropriate.
- Implement least privilege. Phisher was about to laterally move; restricting what accounts can do will slow down an attacker’s movement.
- Train users to be vigilant with Security Awareness Training. According to PwC, at least 4 user endpoints were compromised during this hack. Teaching users to watch for unusual application activity or malicious emails can help stop an attack in its tracks.
The casual nature of this attack should make banks worried; if this is what a hacker can do “for fun”, think about what can happen when a hacker is attacking your bank on purpose.