Brazilian Hackers Pulled off Sweeping Compromise of Bank’s 36 Domains

Bank vault

An unprecedented compromise of a Brazilian bank’s operations has been discovered by security researchers, with all 36 domains including DNS and corporate email under the control of attackers.

Security engineers at industry firm Kaspersky Lab have revealed details of a stunning, sweeping compromise of an unnamed Brazilian bank’s core cyberinfrastructure.

According to researchers, the attack took place on a weekend in October, specifically the Saturday, October 22, 2016. The attack took place over about five hours after hackers compromised the bank’s DNS hosting service using sophisticated targeted attacks. From here, the attackers managed to transfer all 36 of the bank’s domains to fraudulent websites. These rogue websites, purporting to be the bank’s official domains, used free HTTPS certificates from Let’s Encrypt, a free Certificate Authority, to display valid SSL credentials. With the compromise, the criminals were able to steal and siphon customers’ credentials – usernames and passwords – when entered into the faux websites’ login fields.

In breathtaking scale, all 36 domains of the bank, including online banking, mobile banking, financing, acquisitions, point-of-sale systems and more were under the attackers’ control.

“All domains, including corporate domains, were in control of the bad guy,” stated Kaspersky Lab researcher Fabio Assolini. A native Brazilian, Assolini also confirmed that the unnamed multinational bank operates around 500 branches in Brazil, the U.S., Argentina and Grand Cayman, serving 5 million customers with $25 billion in assets.

Dissecting the malware, researchers found eight separate modules including credential-stealing modules for Microsoft Exchange, Thunderbird and the local address book, as well as internet banking control and decryption modules. One of the modules, called Avenger, was discovered to be a legitimate penetration testing tool used to kill rootkits, reverse-engineered to remove security products on targeted and compromised machines. Altogether, researchers were able to locate up to nine other banks around the world that were targeted and compromised by hackers, using Avenger.

“The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries,” added Kaspersky Lab researcher Dmitry Bestuzhev.

Ultimately, the rapid development and deployment of malware planted enough red flags for security staff to get the original DNS credentials resorted to the bank. Still, the incident is a telling real-world example of just how vulnerable banks and its employees can be.

“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev said. “If DNS was under control of the criminals, you’re screwed.”

The researchers added that the bank could have avoided the sweeping compromise if it had enabled two-factor authentication to securer its DNS infrastructure.

Image credit: Wikimedia.