Page 1

Professional Information Security Association

SEP-2018

PISA Journal

Crunching the numbers in Central Bank Hack Impact Analysis Ransomware leverage RDP in attacks

www.pisa.org.hk

Issue

28


Special Topics 05 Crunching the numbers in Central Bank Hack Impact Analysis 12 Cybersecurity Alert: Ransomware leverage RDP in attacks

Page 2 of 24

An Organization for Information Security Professionals


Editor: editor@pisa.org.hk

Copyright

ďƒ“ 2018

Professional Information Security Association

Intranet 04 20 21 30

Page 3 of 24

Message from the Chair The Editorial Board Event Snapshot Joining PISA

A Publication of Professional Information Security Association


Professional Information Security Association

Message from the

Chairman money notes are not with our pocket, they are in our store value card, mobile phone or electronic wallet which we are relying the financial institutions to safeguard for us. However, banks themselves are also in trouble. Not only commercial banks are facing with threats from hacker attacks, Central Bank being the strongest financial authority in a country, still cannot get rid of such cyber security risks as quoted in Patrick Liu’s article in this issue. Many Small and Medium Enterprises (SMEs), are exposed to the challenges of ransomware attacks, likewise for individuals.

M

oney, Money, Money…..It is a Hacker’s World?

In economic text books, money is having its functions as the medium of exchange, unit of account, and store of value. In the last decade, when we talked about money, we were mentioning the physical money notes in our pocket or the numbers printed in our bank account statement. While we would personally secure the physical money from our wallets to avoid being stolen by thief, we trusted our banks with safe, security guards, etc. physical countermeasures to protect our wealth entrusted to them.

As stated in our PISA vision statement, being professional information security practitioners, we should utilise our expertise and knowledge to help bring prosperity to the society in the Information Age. While we need to deliver our expertise in the workplace to our employers to keep our living, I urge you as our PISA/(ISC)2 HK chapter members to contribute your time and professional knowledge to share with fellow members and the Community. Together let us make a Safer World for transactions and keep people away from the threat of hackers!

The world has changed. Nowadays, most of our

Page 4 of 24

An Organization for Information Security Professionals

Ando Ho Chairman


SEP-2018

Crunching the numbers in

Central Bank Hack Impact Analysis

Patrick Liu CISSP, ISSAP, CISA, CRISC, CGEIT, CIA, ABCP Patrick is currently the Deputy CISO of DBS Bank (Hong Kong) Ltd. with over 20 years of IT and Security experience. He was awarded the Hong Kong Cyber Security Professionals Awards in 2017 and ISC2 Information Security Leadership Asia Award 2018 in recognition of his commitment in the field.

Page 5 of 24

A Publication of Professional Information Security Association


PISA

Journal

Professional Information Security Association

Most of you should still remember the Bangladesh Central Bank hacking incident in February 2016. Apart from interesting technical lesson learnt, the incident did not seem to have immediate threat to us. Most of us in Hong Kong were not be involved in this incident at all. Bangladesh was not the first Central Bank has cybersecurity incident. In 2013, USD$13.3 million was stolen from the account of the city of Riobamba at the Banco Central del Ecuador.[1] There were a few more cases, Swaziland, Bangladesh, Italy, Russia and most recently Malaysia.[2] As I work in a financial institution, all these cases worth me to do an analysis on their impact to the financial sector in Hong Kong. Bangladesh incident is a classic textbook scenario for lesson to learn. We have seen a lot of technical post mortem analysis report. In this paper, we will discuss from risk perspective.

Image credit: https://www.bankinfosecurity.com/report-swift-hacked-by-bangladesh-bank-attackers-a-9061

[1] Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment from IMF [2] https://www.reuters.com/article/us-malaysia-cenbank-cybersecurity-incide/malaysian-central-bank-saysfoiled-attempted-cyber-heist-idUSKBN1H50YF

Page 6 of 24

An Organization for Information Security Professionals


SEP-2018 Crunching the numbers in Central Bank Hack Impact Analysis

Issue

28

Table 1:Recent cyber attacks on central banks

Regulatory Impact A Philippine Bank was involved in the Bangladesh incident. The Philippine Bank was utilised by cyber criminals to channel US$81 million stolen from Bangladesh Bank. The local regulator (Bangko Sentral ng Pilipinas) has issued US$21 million fine to the Philippine Bank. It is about 25% of the fraudulent transaction.

Page 7 of 24

If we take an average of disclosed unrecoverable transaction of central bank hacks over the last few years, it is about US$ 30 million dollar. Thus, the regulatory impact value at risk can be calculated as (US$30 million x 25%) = US$ 7 million dollar.

A Publication of Professional Information Security Association


PISA

Journal

Professional Information Security Association

Central Bank & Related Service

Reported Date

Involved Transaction (US$)

Unrecovered Loss (US$)

Ecuador

2013

Unknown

13 Million

Bangladesh

Feb, 2016

101 Million

81 Million

Accounts at Russian Central Bank

Dec, 2016

50 Million

22 Million

Malaysia

Mar, 2018

Not disclosed

0 Million

Mexica domestic payment network [3]

May, 2018

15 Million

Not disclosed

Table 2: Incident Monetary Impact

Subsequent Legal Impact In February 2018, the Bangladesh’s finance minister said the Bangladesh’s central bank will file a lawsuit in New York against a Philippine bank over the world’s largest cyber heist. The story is still under development. It is not common to see a central bank to sue an organization. However, we know this kind of lawsuit will take years and enumerated resources. To quantify this risk, we can reference similar cyber incident lawsuit between two financial institutions. In 2015, Banco del Austro in Ecuador transferred US$12 million

fraudulent transaction to Wells Fargo. The Ecuadorian Bank filed a lawsuit in a US court to accuse Wells Fargo of failing to recognize and stop the fraudulent transactions. Wells Fargo quietly settled the case in February 2018 [4]. I am not a legal professional and the settlement amount was not disclosed, so we only can estimate the amount of this settlement. Let’s assume it’s about 15% of the fraudulent transaction with consideration on the sound security measures of Wells Fargo. Therefore, the estimated value at risk is (US$30 million x 15%) = US$4.5 million.

[3] https://fronterasdesk.org/content/640809/millions-dollars-lost-mexico-after-bank-hacking [4] https://www.reuters.com/article/us-cyber-heist-bangladesh/bangladesh-eyes-settlement-in-u-s-cyber-heist -suit-ahead-of-its-own-case-idUSKBN1HN1MZ

Page 8 of 24

An Organization for Information Security Professionals


SEP-2018 Crunching the numbers in Central Bank Hack Impact Analysis

Central Bank Hack Aggregated Impact The combined impact is (US$7 million + US$4.5 million) = US$ 11.5 million. Like credit risk and liquidity risk, we based on historical data and educated estimation to quantify a risk. By translating a cyber security risk to a language our business head can understand, they can fulfil their responsibility to evaluate the adequacy of cybersecurity controls. The next million question your management will ask would be, “which is the next central bank we should be aware of?” This is also the most difficult part of a risk practitioner. When a risk surfaced to executive management level, they will always demand an actionable item to address the risk. The next paragraph I will share how we suggest an actionable item.

Who will be hackers’ next target?

Issue

central bank hacker. The second thing a hacker will consider is “don’t get caught”, thus, they are looking for easy target. What is the minimum financial gain to motivate a hacker? The easy way is benchmark the financial background of known victims. How do we know how wealthy a central bank is? According to World Bank and International Monetary Fund, we can have an idea on the reserve of the central banks globally.[5] The total reserves (excluding gold) in 2017 are: ●

Ecuador: US$1.7 billion

Bangladesh: US$33 billion

Russia: US$356 billion

Malaysia: US$101 billion

Mexico: US$170 billion

Ecuador has the lowest reserve and Russia has the highest one. Therefore, we can benchmark US$30 billion as the threshold to be a potential hacker’s target. It is a number just below the hacked Bangladesh Central Bank.

To understand who the next victim will be, we need to think like a hacker. Financial gain is surely the number one intention of a [5] Total reserves minus gold (current US$), IMF International Financial Statistics and data files https://data.worldbank.org/indicator/FI.RES.XGLD.CD?view=chart

Page 9 of 24

28

A Publication of Professional Information Security Association


PISA

Journal

Professional Information Security Association

How to quantify “easy” target? “Easy” is an intangible concept. Thanks to International Telecommunication Union (ITU) under the United Nation which did an analysis based on 25 indicators and 157 questions to define the Global Cybersecurity Index (GCI) 2017 [6] for their member states. The research covered different aspects of cybersecurity (legal, technical, orCountry

Country Maturity Level reserves (US$ Billion)

ganizational, capacity building and cooperation). The report classified the countries into three different cybersecurity maturity levels (Initiating, Maturing and Leading). Counties falling under Initiating and Maturing levels should be of interest to our analysis as they are less mature in cyber security, implying that they are easier to hack in hackers’ eyes.

Country

Country Maturity Level reserves (US$ Billion)

Algeria

97

Maturing

Malaysia

100

Maturing

Argentina

53

Maturing

Mexico

170

Maturing

Bangladesh

32

Maturing

Peru

62

Maturing

Brazil

371

Maturing

Philippines

73

Maturing

China

3158

Maturing

Romania

40

Maturing

Colombia

46

Maturing

Russian Federation

356

Maturing

India

389

Maturing

South Africa

45

Maturing

Indonesia

128

Maturing

Thailand

196

Maturing

Iraq

45

Maturing

Turkey

84

Maturing

Lebanon

43

Maturing

Vietnam

49

Initiating

Libya

74

Initiating

Table 3: Bank Reserve VS. Cybersecurity Maturity Level in

[6] Global Cybersecurity Index (GCI) 2017 https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf

Page 10 of 24

An Organization for Information Security Professionals


SEP-2018 Crunching the numbers in Central Bank Hack Impact Analysis

By matching these two data sources, we have the following countries that fall under our focus criteria. .

Libya and Vietnam ar e classified as “initiating” cybersecurity maturity level and with bank reserve above the threshold level. Therefore, they should be our primary focus countries that are the next potential targets of attacks. We have quantified and narrowed down our focus area which we can define our action item against those focused countries.

Conclusion

Copyright & Disclaimer

When we conduct cyber security impact analysis we usually found that qualitative assessment are not convincing enough for non-technical audience. Different board member will have different perspectives in interpretation of impact. Numbers can help in this case. However, there are a lot of missing puzzles in getting the numbers right. My example here demonstrated how to make educated guess based on authoritative sources and subjective data. Hope it is useful to the readers. Patrick Liu ■

Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA

Page 11 of 24

A Publication of Professional Information Security Association


Professional Information Security Association

Cybersecurity Alert:

Ransomware leverage RDP in attacks

Hong Kong SMEs’ Internet facing RDP connections are subject to brute force attacks. Compromised systems may be planted with ransomware after sufficient data has been collected.

Frankie Li Chief Security Analyst - DAT Frankie Li is the Chief Security Analyst at Dragon Advance Tech (DAT). He had been a speaker in various security conferences: US Blackhat, Cyber Security Consortium (HK), HITCON (Taiwan), (ISC) 2 Security Congress (APAC), CyberCrimeCon 2018 (Russia) and High-Tech Crime Investigation Association (HTCIA, APAC) and Founder of Dragon Threat Labs, DragonCon.

Page 12 of 24

An Organization for Information Security Professionals


SEP-2018 Cybersecurity Alert: Ransomware leverage RDP in attacks

Many SMEs in Hong Kong their IT support to external IT service companies Those ad-hoc IT teams tend to deliver their IT maintenance services through RDP (Remote Desktop Protocol) to the clients’ computers from their Internet facing devices. We observed that many Internet facing RDP connections are subject to brute force attacks and compromised systems were planted with ransomware after sufficient data has been collected.

Recently, the Computer Security Incident Response Teams from Dragon Advance Tech observed several incidents of ransomware reports from Hong Kong SMEs during September and October 2018. Coincidentally, in the same period of 2017, HKCERT also identified 18 infection cases[1] of the ransomware called Crysis from domestic victims including a school.

published in November 2017 by Panda Security.[4] Lawrence Abrams of Bleeping Computer provided a general description of the ransomware “When the ransomware is installed, it will scan the computer for certain file types and encrypt them. The encrypted file will append with an extension in the format of .id-[id].[email].arena” . [5]

The Crysis ransomware was identified by Malekal_morte [2], Trend Micro [3] in early 2017 and further confirmed by Bleeping Computer in August 2017. A detailed reverse engineering report of the ransomware was

In some of our investigated cases, the extension changed to .id-[id]. [email].bip. Normally, ransomware is infected through spamming emails, drive-by-

[1] https://www.hkcert.org/my_url/en/blog/17110901 [2] http://forum.malekal.com/viewtopic.php?t=54445&start= [3] https://blog.trendmicro.com/trendlabs-security-intelligence/brute-force-rdp-attacks-plant-crysis-ransomware/

Page 13 of 24

A Publication of Professional Information Security Association


PISA

Journal

Professional Information Security Association

downloads, malvertisment with exploit kits or self-propagation like WannaCry. Typical ransomware authors will try to distribute the ransomware to large number of potential victims spontaneously for maximizing their financial gains. Usually these ransomwares do not require a persistence mechanism.

However, these Crysis cases are different because this ransomware was usually planted manually onto the victim systems through RDP access. In one of the cases we investigated, the attacker first brute-forced the RDP login from a Swedish IP address, planted the malware together with mimikatz (a password collection utility) and generated some text files with names like “good.txt”, “IP.txt”, “servers.txt”, “settings.ini” and “credentials.txt” before launching the ransomware. We cannot verify how much and what kinds of information have been harvested by the attackers because the log files

Page 14 of 24

were also encrypted by the ransomware. We also found that this ransomware uses several persistence methods to ensure it will start up on the next computer reboot.

We believe the victims’ computing systems were actually being hacked first, and after gaining initial access, the attacker collected more information during their lateral movements and finally launched the ransomware for financial gain.

This is not common in most ransomware cases.

To the best of our knowledge, most of these cases are not being investigated and the victims are usually SMEs or NGOs. These organizations have a limited budget to appoint a cybersecurity professional, and some even do not have a full time IT staff to handle their IT support duties. Hence, ad hoc

An Organization for Information Security Professionals


SEP-2018

Issue Cybersecurity Alert: Ransomware leverage RDP in attacks

or out-sourced IT staff are appointed to perform maintenance remotely, usually through RDP. These outsourced IT staff tend to use the same (and usually weak) passwords for accessing all their clients’ internetfacing devices, such as routers or firewalls. A forwarding RDP rule will then be created to access one of the client’s always-on machines, usually a server (such as a file server), which then allows the IT staff member to connect to the client’s network for performing their maintenance tasks.

The SME clients have no knowledge on how these RDP accounts are created, nor the weak passwords used for RDP and routers/firewalls.

Hong Kong SMEs’ management has a common misconception that if they

28

have purchased a firewall and their desktop machines are installed with anti-virus solutions, then their computer networks and systems will be secured.

HKCERT has published prevention and mitigation guidelines[6] on protection against ransomware.

To protect against attacks like Crysis or attackers who brute-force open Internet facing remote administration services (such as: RDP, TeamViewer or VNC), we advise Hong Kong SMEs to put in additional countermeasures, such as proper configuration of security technologies and security incident monitoring, to their network protection. Internet facing devices should be protected by strong passwords, and with all logging functions turned on. Internet-accessible

[4] https://www.pandasecurity.com/mediacenter/src/uploads/2017/11/Ransomware_Crysis-Dharma-en.pdf [5] https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/ [6] https://www.hkcert.org/ransomware.hk/ransomware-basic.html

Page 15 of 24

A Publication of Professional Information Security Association


Professional Information Security Association

RDP services should be turned off unless they are necessary. In case RDP is absolutely necessary, it should be made available on an ondemand basis (i.e. turn it on only on request and shut it down immediately after remote administration works are completed).

.

If any security incidents happen, appoint a qualified cybersecurity professional as quickly as possible to review and contain the attacks, and/ or implement a continuous security monitoring service for better protection because:

“IT CAN HAPPEN TO ANYONE AND MAY HAPPEN AGAIN” Copyright & Disclaimer

Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA

Page 16 of 24

Frankie Li ■

An Organization for Information Security Professionals


SEP-2018

PISA Journal The Editorial Board

SC Leung CISSP CCSP CISA CBCP

Joyce Fan CISSP CRISC CISA

Ian Christofis CISSP

Alan Ho CISSP CISA CISM CGEIT

You can contribute to PISA Journal by: ●

Joining the Editorial Board Submitting articles to the Journal

SC Leung, Chief Editor editor@pisa.org.hk Next Issue: Issue 29 (Mar-2019)

Page 17 of 24

A Publication of Professional Information Security Association


Professional Information Security Association

Event Snapshot We Share. We Progress.

PISA Security Jam 2018 (26 May 2018) PISA organized the second PISA Jam, a 1-day conference to gather security buddies to share their research.

Discussion on Road to the Future in HK Information Security profession.

Sharing forum by security professionals.

Page 18 of 24

Organising Committee of PISA Jam with Guests and Speakers

An Organization for Information Security Professionals


Professional Information Security Association

Event Snapshot We Contribute. We Achieve.

PISA Security Jam 2018 (26 May 2018) Presentations on Threat Intelligence, Exploring recently developed applications to the IT Security Industry, Bypassing ModSecurity WAF.

CASB implementation and showcase, DevOps Jam on Aqua, First touch on Security and Forensics Continuous Workshop, Reverse Engineering: from CTF to Real-world - on Android app reverse engineering.

Page 19 of 24

An Organization for Information Security Professionals


SEP-2018

Event Snapshot We Share. We Progress.

(ISC)2 APAC Security Congress and ISLA 2018 @ Hong Kong (9-10 July 2018) The (ISC)2 APAC Security Congress 2018 was held in Hong Kong, together with the (ISC)2 Information Security Leadership Achievements Asia-Pacific (ISLA Asia-Pacific) 2018 Award Presentation Ceremony at the Conrad Hotel.

Page 20 of 24

A Publication of Professional Information Security Association


Professional Information Security Association

Event Snapshot We Contribute. We Achieve.

PISA AGM cum Feature Talk: Road to Defcon (25 Aug 2018) Captain shared us his journey in DefCon 26. Our Chairperson presented gift to thank you his sharing and continued support to PISA

Our Chairperson presented a gift for Captain for his sharing.

This is a group photo for PISA members in the AGM.

After a competitive election, PISA Executive Committee (EXCO) 2018/2019 was formed. This is a group photo for PISA EXCO members.

Page 21 of 24

An Organization for Information Security Professionals


SEP-2018

Event Snapshot We Share. We Progress.

Information Security Summit 2018 (4-5 September 2018)

PISA was one Organiser of the 2-day Information Security Summit 2018 held in the HKCEC. Below was a photo of the Organisers with the VIPs, Mr. Victor Lam, GCIO (front row middle), Hon. Charles Mok, IT Legislator (front row, 2nd from left), and Mr. Willy Lin, Chairman of HKPC (front row, 4th from left).

Page 22 of 24

A Publication of Professional Information Security Association


SEP-2018

Event Snapshot We Contribute. We Achieve.

PISA Speakers spoke in the local community

Frankie Leung (7th from left) spoke in the CLP Security Forum 2018 on 11 September 2018.

Page 23 of 24

A Publication of Professional Information Security Association


Professional Information Security Association

Professional Information Security Association Vision to be the prominent body of professional information security practitioners, and utilize expertise and

Successful Career

Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.

Many Ways

Networking

Continued Education

Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical information and ideas for keeping your knowledge up to date

Check out job listings information provided by members. Get information on continuing education and professional certification

Sharing of Information Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.

Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.

You Can Benefit

Membership Information

Realize Your Potential

Professional Recognition

Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, Mobile Security, Cloud Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials

Benefit from the immediate access to professional recognition by using post-nominal designation

Membership Requirements Enquiry email: membership@pisa.org.hk

Membership Application Form: http://www.pisa.org.hk/ membership/member.htm

Code of Ethics: http://www.pisa.org.hk/ ethics/ethics.htm Page 24 of 24

• •

Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association An Organization for Information Security Professionals

Profile for Professional Information Security Association

PISA Journal Issue 28  

Crunching the numbers in Central Bank Hack Impact Analysis, Ransomware leverage RDP in attacks

PISA Journal Issue 28  

Crunching the numbers in Central Bank Hack Impact Analysis, Ransomware leverage RDP in attacks

Advertisement