Cosmos Bank SWIFT/ATM US$13.5 Million Cyber Attack Detection Using Security Analytics

2018-08-28 Securonix

https://www.securonix.com/securonix-threat-research-cosmos-bank-swift-atm-us13-5-million-cyber-attack-detection-using-security-analytics/

Thumbnail for Cosmos Bank SWIFT/ATM US$13.5 Million Cyber Attack Detection Using Security Analytics

Securonix analyzes the August 2018 Cosmos Bank intrusion, in which attackers stole more than $13.5 million through coordinated ATM and SWIFT abuse. The excerpt says some sources attributed the activity to Lazarus Group or DPRK-linked Hidden Cobra, while an Indian investigation had not confirmed that link, so the attribution remains qualified. The ATM portion involved earlier malware infection and lateral movement, compromise of the bank's ATM/POS switch, malicious ISO8583 libraries, process injection, and a parallel malicious switch that authorized withdrawals without forwarding requests to the core banking system. The SWIFT portion involved likely lateral movement into the bank's SWIFT SAA environment and three fraudulent MT103 transfers to a Hong Kong account. The report highlights FASTCash-related indicators, including malware hashes and outbound traffic to 75.99.63.27, and argues that transaction monitoring alone is insufficient without endpoint, network, user, and system behavior analytics.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN timesofindia.indiatimes.com 2018-08-28 2024-10-29
HASH 3a5ba44f140821849de2d82d5a137c3… 2018-08-28 2024-10-13
HASH 10ac312c8dd02e417dd24d53c99525c… 2018-08-28 2024-10-13
HASH d465637518024262c063f4a82d799a4… 2018-08-28 2021-12-02
HASH ca9ab48d293cc84092e8db8f0ca99cb… 2018-08-28 2021-12-02
HASH 820ca1903a30516263d630c7c08f2b9… 2018-08-28 2020-03-09
HASH a9bc09a17d55fc790568ac864e38854… 2018-08-28 2020-03-09
HASH 4a740227eeb82c20286d9c112ef95f0… 2018-08-28 2020-03-09
DOMAIN economictimes.indiatimes.com 2018-08-28 2019-10-31
HASH f3e521996c85c0cdb2bfb3a0fd91eb0… 2018-08-28 2018-08-28
HASH ab88f12f0a30b4601dc26dbae57646e… 2018-08-28 2018-08-28
IPv4 75.99.63.27 2018-08-28 2018-08-28

Related Reports

2021-12-02 • 13% Match
#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865
Shares 4 IOCs
« Back