how to rob a bank how to... · 2019. 2. 11. · •lightweight backdoor trojan •makes use of...
TRANSCRIPT
![Page 1: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/1.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 1
How To Rob A Bank
The SWIFT and easy way to grow your online savings
![Page 2: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/2.jpg)
Cheryl Biswas @3ncr1pt3d
Toronto, Canada
Threat Intel Analyst at KPMG Canada
Into: Stuxnet, Mainframes, ICS SCADA, Startrek
LinkedIn Pulse, Talks, Blogs, TiaraCon
DISCLAIMER
The views expressed here are solely my own and do NOT
reflect those of my employer.
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 2
![Page 3: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/3.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 3
![Page 4: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/4.jpg)
A Tale
of
Two Servers
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 4
![Page 5: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/5.jpg)
Once Upon a Time There was a bank
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 5
![Page 6: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/6.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 6
![Page 7: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/7.jpg)
It needed … Magic!
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 7
![Page 8: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/8.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 8
![Page 9: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/9.jpg)
What Is SWIFT
• The Society for Worldwide Interbank Financial Telecommunications (if that doesn’t sound like something from a James Bond movie …)
• A secured and trusted exchange for financial messages
• Banks use it to send back end payment instructions to each other
• Brussels-based banking consortium
• Does NOT hold funds or manage accounts for customers
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 9
![Page 10: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/10.jpg)
SWIFT Transactions for Dummies
• Each financial org gets a unique code of 8 or 11 characters. This is the BIC or Bank Identifier code or SWIFT ID or ISO 9363 code
• The first 4 characters are the institute; next 2 are Country; next 2 or location/city; last 3 are branch codes and optional. Eg DEUTDEFF Deutche bank, Germany, Frankfurt
• You can send a message through a SWIFT member bank if you have the recipients corresponding SWIFT code and account id
• Other message services are Fedwire, CHIPS, Ripple but SWIFT is the biggest and best at doing this
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 10
![Page 11: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/11.jpg)
SWIFT By NUMBERS
Currently:
• 200 countries
• 10,800 users
• $9 trillion transferred daily
• Started 40 years ago
• 99.99 % availability (thank you mainframes)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 11
![Page 12: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/12.jpg)
“The global backbone of the financial industry”
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 12
![Page 13: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/13.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 13
![Page 14: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/14.jpg)
A Zero-Risk Approach to Failure
• Confidentiality
• Efficiency
• Reliability
• Security
• Resilient topology
• Robust software designs
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 14
![Page 15: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/15.jpg)
Just How Does ThisAdd Up to Security?
“Our record availability levels are
a direct result, and proof of,
our security commitment”
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 15
![Page 16: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/16.jpg)
“We relentlessly pursue operational excellence and continually seek ways to lower costs, reduce risks, and eliminate operational
inefficiencies”
What’s missing here?
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 16
![Page 17: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/17.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 17
![Page 18: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/18.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 18
![Page 19: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/19.jpg)
Dangerous Assumptions
• Air-gapped is absolute. It isn’t
• Private networks ensure safety. They don’t
• Special systems operating in their own secure enclaves, with their own proprietary setups will remain impenetrable. They won’t
• Inherent Protections. Are not.
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 19
![Page 20: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/20.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 20
No Virginia, there is no Inherent Security
![Page 21: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/21.jpg)
TRUST ISSUES
What do we know about TRUST people?
Complete the sentences
1. Trust …
2. Trust …
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 21
![Page 22: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/22.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 22
![Page 23: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/23.jpg)
Then one day
the Magic
stopped working
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 23
![Page 24: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/24.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 24
![Page 25: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/25.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 25
![Page 26: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/26.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 26
![Page 27: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/27.jpg)
Banker’s Hours
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 27
![Page 28: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/28.jpg)
Hello?
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 28
![Page 29: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/29.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 29
![Page 30: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/30.jpg)
BAE SYSTEMS DIAGRAM
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 30
![Page 31: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/31.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 31
![Page 32: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/32.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 32
![Page 33: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/33.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 33
![Page 34: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/34.jpg)
The Telltale Printer: "HP LaserJet 400 M401"
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 34
![Page 35: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/35.jpg)
The Telltale Printer: "HP LaserJet 400 M401"
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 35
![Page 36: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/36.jpg)
And another question
“Extensive integrity controls built into SWIFT apps to protect against unauthorized changes to messages and to detect corruption of messages”SWIFT website
So how exactly did that Oracle db thing get by you?
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 36
![Page 37: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/37.jpg)
"It was the bank's systems or controls that were compromised, not the software. The SWIFT software behaved as it was intended to, but was not operated by the intended person or process. This is a bank problem, not a SWIFT problem.“William Murray, independent payments security consultant
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 37
![Page 38: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/38.jpg)
Heist by Numbers
COUNTRY BANK AMOUNT DATE
Bangladesh Bangladesh Bank $81 Mil Feb 2016
Philippines Unnamed 2015
Ecuador Banco Del Austro $12 Mil June
Vietnam Tien Phong Bank Failed June
Ukraine Unnamed $10 Mil April
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 38
![Page 39: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/39.jpg)
About that $10 switch …
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 39
![Page 40: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/40.jpg)
The FED vs SWIFT
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 40
![Page 41: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/41.jpg)
“SWIFT is … as flaky as ICS or SSL… you can’t separate workstations from SWIFT
and remove them from the network.”Risky Business Podcast
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 41
![Page 42: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/42.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 42
![Page 43: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/43.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 43
Now with MORE Security!
![Page 44: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/44.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 44
A SWIFT Response• The new Customer Security Programme CSP
• 5 Steps to better security: 5 strategic initiatives
• Daily Validation Reports. Out of band access.
• “customer systems or operational staff that have been compromised and locally stored records that have been obfuscated”
![Page 45: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/45.jpg)
SWIFT New Core Security Standards
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 45
![Page 46: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/46.jpg)
“The Swift payment system is only as strong as the operational controls built and enforced around it … and a lack of strong policies and procedures for increased vulnerabilities.”Mark Williams, lecturer at Boston University
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 46
![Page 47: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/47.jpg)
“The Vietnam case shows that the global banking system is vulnerable to cyber attacks, and we should make a global effort to prevent these attacks”Bangladesh Bank spokesman Subhankar Saha said Monday.
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 47
![Page 48: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/48.jpg)
Who Dunnit?
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 48
![Page 49: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/49.jpg)
It was the Lazarus Group,
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 49
![Page 50: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/50.jpg)
It was the Lazarus Group, in North Korea,
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 50
![Page 51: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/51.jpg)
It was the Lazarus Group, in North Korea, with a wrench
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 51
![Page 52: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/52.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 52
![Page 53: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/53.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 53
![Page 54: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/54.jpg)
The Sony Hack
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 54
![Page 55: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/55.jpg)
Meanwhile, back on the ranch …
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 55
![Page 56: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/56.jpg)
“If we haven’t seen them in the US it’s because nobody’s bothered … Most Western Banks have not had to deal with these attacks”Brian Krebs on Risky Business podcast
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 56
![Page 57: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/57.jpg)
“Banks are fighting a war on every conceivable front. It’s a losing battle. There’s no way to share enough information among enough people.”Anonymous source
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 57
![Page 58: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/58.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 58
![Page 59: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/59.jpg)
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 59
![Page 60: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/60.jpg)
Which brings us to … Odinaff• Discovered January 2016 attacking banks, securities, trading, payroll globally
• Mounted attacks on SWIFT users, malware hiding fraudulent transactions
• Lightweight backdoor Trojan
• Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell, Runas
• Malware designed to compromise specific computers. Requires a lot of manual intervention
• Linked to Carbanak through shared infrastructure, 3 C+C IP addresses, backdoor Batel
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 60
![Page 61: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/61.jpg)
Imagine Dragonz
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 61
![Page 62: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/62.jpg)
But what if I told you there was a fire-breathing dragon
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 62
![Page 63: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/63.jpg)
Breach the Moat
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 63
![Page 64: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/64.jpg)
How the Mighty Fall
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 64
![Page 65: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/65.jpg)
Bigendian POC
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 65
![Page 66: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/66.jpg)
Hospital ransomware + JBOSS
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 66
![Page 67: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/67.jpg)
What Would You Do Better?
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 67
![Page 68: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/68.jpg)
The Moral of the Story
• Trust No One/Trust but Verify
• Go looking for the big bad wolf before you get eaten
• For God’s sake do the basics right
• Don’t Assume Anything. It makes an ass out of U and Me
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 68
![Page 69: How to Rob a Bank How to... · 2019. 2. 11. · •Lightweight backdoor Trojan •Makes use of common hacking and legitimate software tools like mimikatz, PSExec, Netscan, Powershell,](https://reader036.vdocuments.us/reader036/viewer/2022071110/5fe51e71435cfd656a3d4f92/html5/thumbnails/69.jpg)
Thank You!!
• @bigendiansmalls
• @mainframed767
• SecTor
• DefensiveSec, Brakeing Down Security and Risky Bus Podcasts
• Numerous members of the InfoSec community
10/31/2016 "How to Rob a Bank" by @3ncr1pt3d 69