SWIFT a global provider of secure financial messaging services. He is the big brother in the financial world which facilitates 24-hour secure international exchange of payment instructions between banks, central banks multinational corporations, and major securities firms. He meet his enemy in 21st century, everybody knew it is block chain technology, simple to say it is bit coins, right? However his enemy not limit to block chain technology, noticed that a new born malware was attacks swift member network last month (Oct 2016). The nick name is odinaff.
Technical specification:
malware checksum SHA256: fbede281f54108136a6c73fec7d45386a803793b2a92964ec5355babe6127eec
File name: odinaff_payload.exe [12.0 KB ( 12288 bytes )]
Oh! The payload only 12kb. Security guru you must pay extra attention. My personal comment is that this is a advance type malware, since 30 antivirus vendor can detect this payload. The malware authors will make minor changes or repackage their malware every few days to thwart detection via MD5 checksum or antivirus, and in some cases the malware is repackaged daily. Therefore, often times new samples may not be detected. To be honest, only 12Kb it is easy to repackage.
For correct detect this malware on your malware detector, below details is the pattern for your reference.
Reference: Yara rule
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Odinaff_swift : malware odinaff swift raw{
meta:
author = "_____"
date = "2016/10/27"
description = "Odinaff malware"
reference = "https://www.symantec.com/security_response/writeup.jsp?docid=2016-083006-4847-99"
filetype = "binary"
strings:
$s1 = "getapula.pdb"
$i1 = "wtsapi32.dll"
$i2 = "cmpbk32.dll"
$i3 = "PostMessageA"
$i4 = "PeekMessageW"
$i5 = "DispatchMessageW"
$i6 = "WTSEnumerateSessionsA"
condition:
($s1 or pe.exports("Tyman32")) and (2 of ($i*))
}
News update on SWIFT:
It looks that SWIFT top management aware the criticality of risk. To ensure adoption, SWIFT will start requiring customers to provide detailed self-attestation against the mandatory controls from Q2 2017
Begin Enforcing Mandatory Security Controls
1. Restrict Internet Access and Segregate Critical Systems from General IT Environment
1.1 SWIFT Environment Segregation A segregated secure zone safeguards the local SWIFT infrastructure from compromises and attacks from the broader enterprise and external environment.
1.2 Operating System Privileged Account Control
Access to local operating system accounts with system-level administrative rights is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, the accounts are restricted from being accessed.
2. Reduce Attack Surface and Vulnerabilities
2.1 Internal Data Flow Security
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT data flows within the secure zone, and its link to the user PCs.
2.2 Security Updates All hardware and software inside the secure zone and on user PCs are within the support lifecycle of the vendor, have been upgraded with mandatory software updates, and have had security updates promptly applied.
2.3 System Hardening Security hardening is conducted on all systems and infrastructure within the secure zone and on user PCs.
3. Physically Secure the Environment
3.1 Physical Security Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage.
4. Prevent Compromise of Credentials
4.1 Password Policy All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts.
4.2 Multi-factor Authentication Multi-factor authentication is used for interactive user access to SWIFT-related applications and operating system accounts.
5. Manage Identities and Segregate Privileges
5.1 User Account Management Accounts are defined according to the security principles of need-to-know access, least privilege, and segregation of duties.
5.2 Token Management Authentication tokens are managed appropriately during issuance, revocation, use, and storage.
6. Detect Anomalous Activity to Systems or Transaction Records
6.1 Malware Protection Anti-malware software from a reputable vendor is installed and kept up-to-date on all systems.
6.2 Software Integrity A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related applications.
6.3 Database Integrity
A database integrity check is performed at regular intervals on databases that record SWIFT transactions.
6.4 Logging and Monitoring Capabilities to detect anomalous activity are implemented, and a process or tool is in place to frequently store and review logs.
7. Plan for Incident Response and Information Sharing
7.1 Cyber Incident Response Planning The organisation has a defined cyber incident response plan.
7.2 Security Training and Awareness Annual security awareness sessions are conducted for all staff members, including role-specific training for SWIFT roles with privileged access.
Advisory Security Controls
2. Reduce Attack Surface and Vulnerabilities
2.4A Back Office Data Flow Security Confidentiality, integrity, and authentication mechanisms are implemented to protect data flows between back office systems or middleware and the secure zone.
2.5A External Transmission Data Protection
Sensitive data leaving the secure zone is encrypted.
2.6A User Session Integrity
The integrity and confidentiality of interactive user sessions connecting to the secure zone are safeguarded.
2.7A Vulnerability Scanning
Vulnerability scanning is conducted within the secure zone and on user PCs using an up-to-date industry-standard scanning tool.
2.8A Critical Activity Outsourcing
Critical outsourced activities are protected, at a minimum, to the same standard of care as if operated within the originating organisation.
2.9A Transaction Business Controls
Restrict transaction submission and receipt to the expected bounds of normal business.
5. Manage Identities and Segregate Privileges
5.3A Personnel Vetting Process
Staff operating the locally hosted SWIFT infrastructure are vetted prior to initial employment in that role and periodically thereafter.
5.4A Physical and Logical Password Storage
Any recorded passwords for privileged accounts are stored in a protected physical or logical location, with access restricted on a need-to-know basis.
6. Detect Anomalous Activity to Systems or Transaction Records
6.5A Intrusion Detection
Intrusion detection is implemented to detect unauthorised network access.
7. Plan for Incident Response and Information Sharing
7.3A Penetration Testing
Application, host, and network penetration testing is conducted at least annually within the secure zone and on user PCs.
7.4A Scenario Risk Assessment
Scenario-driven risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme.