Hacking banks
Attacks of the form you’ve just learned about actually happen in the world – sometimes with costly consequences.
A DISCERNING HACKER? “Getting one-time access is all well and good, but the discerning hacker wants to be able to come and go as they please”
As we write this the Twitters are all aflare with news that Phineas Fisher (very unlikely to be a single individual, but whose manifestos are written in the first-person singular) has hacked the Cayman National Bank (Isle of Man), a subsidiary of the Cayman National Bank Ltd, and released some 2TB of potentially sensitive information. The hack allegedly took place back in 2015, but the details only came to light in mid November. The purloined data is available via information-sharing website Distributed Denial of Secrets, which immediately following the release struggled to cope with the demand for downloads.
The bank released a statement saying it was investigating a data breach that a criminal group has claimed responsibility for, but stating it has no evidence of any monies going missing. The bank also points out that Isle of Man operations are ‘separate and distinct’ from the parent bank in the Caymans (a tax haven).
Fisher gained notoriety in 2016 by exposing Hacking Team, an Italian company that offered surveillance tools to repressive regimes around the world. This latest endeavour is significant because Fisher rather audaciously released detailed information about how she (the pronoun used in the account) orchestrated the hack. We’d get in trouble if we told you how to hack a bank here (heck, we got in trouble for the headline ‘Learn to hack’ a few years back), but you can pour over a translation of Fisher’s alleged account at https:// pastebin.com/raw/xssyub0f. If true, it provides a fairly unique insight into how these things go. The leaked information certainly seems legitimate, and there’s nothing in the pastebin text that’s glaringly false, but nonetheless it could have been by anyone with a lot of free time and dilettante-level knowledge of hacking.
Some interesting points are that the initial attack vector was the same as in the Hacking Team attack – a vulnerable Sonicwall VPN appliance. And in fact the very same exploit was used (the account makes reference to Shellshock, which suggests that the bank were most lackadaisical in patching their systems as this was patched a year before the incident). Speaking of Shellshock, if you followed the previous two pages, you may have noticed the cgi-bin/ directory visible on the webserver. If you investigate this from Meterpreter, you’ll find a file there that can be executed. This, and an unpatched system are all that’s required for a successful Shellshock attack.
Using the open source Zmap program (for internetwide port scanning) our hacker identified a number of vulnerable VPN appliances and, naturally, was attracted to the one with Cayman Bank in its name.
Getting one-time access is all well and good, but the discerning hacker wants to be able to come and go as they please, without having to rely on this vulnerability not being patched. There is an array of post-exploitation tools out there that can help get this kind of persistent access. The hacker claims to have used the initial exploit to implant the Powershell-based Empire (now discontinued but source is still available at https:// github.com/empireproject/empire), to achieve this. The hacker claims to have also planted a meterpreter reverse shell (just like we did on the previous pages), and another undisclosed ‘backup’ access point. By poking around documentation on the compromised servers, and pivoting to desktop machines and using
Metasploit’s post/windows/gather/screen_spy tool, she figured out how (roughly) to craft SWIFT (Society for Worldwide Interbank Financial Telecommunication, the network that banks use to send money internationally) messages. Usually, these go through three employees, but since she had logged keystrokes, she could imitate them all – and duly make off with several hundred thousand dollars (the exact figure is undisclosed, and Fisher claims to have given it away). Perhaps she would’ve made off with more, had it not been for bungling a SWIFT message involving an intermediary bank, and, on the same day, trying to send $200,000 via the UK’S Faster Payments service (which doesn’t
permit such ludicrous transfers). Curiously, around the same time as Fisher’s attack, it seems a parallel phishing attack was underway. The leaked documents show a PWC Incidence Response (IR) team was drafted in to investigate the bank’s systems when the bank discovered fraudulent SWIFT transactions in January 2016. The IR team discovered a malicious email bearing the Adwind malware, which is a remote-access trojan that has been used successfully against financial institutions in the past.
The team also discovered and neutralised the meterpreter and Empire backdoors, but not the backup backdoor (redundancy is good for bank robbers as well as backups). Seeing the situation was getting hot, Fisher, who by this stage claims to have been in the system since August 2015, backed off, claiming to have used Mimikatz (a tool for extracting passwords from the memory of Windows machines) a single time to get passwords for a webmail portal. By studying email conversations she was able to keep up to date with the investigation, and assured herself that there was no immediate danger of her operation being rumbled.
At the end of Phineas Fisher’s ‘manifesto’ is a call to arms. She offers a bounty of $100,000 to others willing to hack banks and big companies. Whether that money came from this hack is unclear, but it’s absolutely not something we can condone. Leaks like these expose all kinds of trickery and treachery by supposedly respectable entities, but encouraging people to go after them is irresponsible, especially since a lot of people that heed this call will be ‘script kiddies’ – inexperienced hackers that are just using pre-packaged attacks or
Metasploit modules without realising how very visible these make them. Attempting to hack a large financial institutions comes with grave penalties, and you don’t get a lesser sentence just because your attack was naive and unimaginative. Stay safe kids, go play outside.
Breaking Windows
We have largely ignored the Windows Metasploitable VM, but there’s no reason you should – it is taking up several gigabytes on your system after all. You’ll find lots of hints online and you can even indulge in some CTF (capture the flag) antics. You can learn more about these contests from elite RISC-V and IOT hacker Christina Quast in the interview on page 40. The idea is there are some tokens (‘flags’) hidden on the target machine, and great kudos are awarded to those who find them first. The vulnerable Metasploitable VM’S flags take the form of PNG images of a deck of cards, some of which are only available on the Windows machine, which is also running some different services.
Naturally, you can cheat and log in as vagrant:vagrant, which will enable you to carry out an “evil maid” attack (a bad actor with local access). But that’s no fun (the Vagrant account has admin access so there isn’t really any challenge). If you’re stuck, follow what we did for the Linux VM, scan the machine, investigate what’s running, see if Metasploit has any exploits. And don’t give up, we believe in you! And don’t hack anything you shouldn’t. And don’t get arrested. We can’t bail you out and will disavow any knowledge of your actions.