In perhaps the most ambitious cyber heist of last year, hackers gained control of a major Brazilian bank’s entire domain name system (DNS), stealing customers’ usernames and passwords as they were typed into the login boxes of sites hosted by the bank.
Following an investigation into the attack, which took place on October 22 last year, security firm Kaspersky Lab released its findings during the recent Kaspersky Security Analyst Summit.
The bank had its point-of-sale, ATM, online banking, and investment transactions hijacked by the attack, as the hackers were able to transfer all 36 of the bank’s domains to phony websites that used free HTTPS certificates from Let’s Encrypt.
Worse still, the dummy websites dropped malware onto each visitor’s computer. Clicking on the Java plugin, hidden within a .zip file, would start an infection on machines capable of running the malicious code.
The bank, which has not been named, reportedly has $25 billion in assets, 5 million customers worldwide, and 500 branches in Brazil, Argentina, the US, and the Cayman Islands.
“As far as we know, this type of attack has never happened before on such a big scale,” said Dmitry Bestuzhev, director of Kaspersky Lab’s research and analysis team in Latin America.
The attack lasted for five hours, and, during the entire time, the bank was locked out of its own network and systems.
Bestuzhev says it’s unclear how the hackers were able to compromise the bank’s DNS provider, Registro.br, but he notes that the firm patched a cross-site request forgery flaw on its website in January 2017.
“Maybe [the attackers] exploited the vulnerability on that website and got control,” said Bestuzhev. Alternatively, they could have got into the system by spear-phishing, as there were “several phishing emails targeting employees of that registrar.”
Lessons to be learned
In our free green paper, Cybersecurity: A critical business issue, we comment on many businesses’ growing concerns about organized crime and how vital it is to protect your organization from cyber attacks that can strike from any number of places.
The free green paper explains the threats to businesses, including the correlation between security spending and security effectiveness, the importance of accredited certification to ISO 27001 and ISO 22301, and IT Governance’s seven-step cybersecurity strategy.
Is your organization supervised by the New York Department of Financial Services (NYDFS)? The deadlines for the NYDFS’s Cybersecurity Requirements are right around the corner. To read how ISO 27001 addresses the requirements and can help you achieve compliance, download our free green paper, NYDFS Cybersecurity Requirements – Part 1: The Regulation and the ISO 27001 standard.