Interesting Informative Read
Criminals can alter banks’ most sensitive data, allowing fake money transfers and credit card fraud. The global banking system has been compromised by cyber-criminals who have demonstrated they have high-level access that gives them nearly full control to alter data and steal from banks, according to an expert who has been investigating them on the darknet.
Ed Alexander is a cyber HUMINT (human intelligence) specialist and a subject matter expert on the darknet—private forums run by the hackers. Only accessible with special software, the darknet, in addition to legitimate applications, is used by criminal groups to conspire and sell illicit goods.
In a previous interview, Alexander provided Epoch Times with extensive evidence on the current global bank heist. He previously asked to remain anonymous in order to protect his investigations but is now going public in order to expose the two groups of hackers who are behind the attacks.
The cyber attacks relate to a string of heists from banks that were recently breached by hackers, including the $81 million stolen from the central bank of Bangladesh. Alexander has provided evidence that these banks are merely the tip of the iceberg, and that the hackers have found a vulnerability that grants them access to thousands of banks around the world and across the United States.
The cyber attacks began around 2006 when hackers working for the Chinese military acted under state orders to breach critical networks in Mexico. From there, the hackers were able to gain access to the computer systems of a major bank, and then infiltrated a major money transfer network to which the bank—and many other banking institutions—are connected.
The Chinese hackers completed their assignment, and around June 2015 they sold the vulnerability they had exploited to cyber criminals on the darknet. Alexander was able to provide screenshots from posts on a darknet cyber criminal marketplace that was selling access to the Mexican financial networks.
The cyber criminals who purchased the vulnerability from the Chinese hackers are the ones currently carrying out attacks on the global banking system. Alexander provided new evidence showing the cyber criminals have high-level access to the banking networks and that they are using that access to alter data.
Epoch Times spoke with three experts on cyber crime (two on the record, one off the record), who was able to look at the screenshots of the attacks, which had been provided as evidence. In their expert opinions, the screenshots are legitimate and their contents support Alexander’s claims.
According to James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), the screenshots “suggest that an attacker may be exploiting a vulnerability in the system to establish a persistent presence and exfiltrate files.”
“Unless it is patched and the attacker is removed from the system,” Scott said, “the attacker can continue to capitalize on the vulnerability or sell it to other attackers.”
ICIT is a Washington-based cyber security think tank focused on threats to critical infrastructures, such as the financial system.
Based on screenshots provided by Alexander, Scott speculated that the cyber criminals may be using their access to the network as a gateway to other money transfer networks or to spoof money transfer requests to additional banks, allowing the hackers to steal money.
Keith Furst, the founder of Data Derivatives, a consulting firm focused on financial cyber crime, noted the screenshots show the cyber criminals as having very high-level access on the banking networks. When it comes to banks, he said, only top-level permissions can alter data such as that shown in the screenshots, due to risk that a person could, for example, eliminate his or her debt or illegally transfer money.
“If they can change information at this level, it implies they have access to other information,” Furst said.
An Inside Look
The following are screenshots provided to Epoch Times by Alexander, which he said show cybercriminals actively accessing and altering data on networks belonging to UniTeller, a money transfer network owned by Banorte, Mexico’s third-largest bank.
He added red-colored notes on the screenshots to show the timing of the attacks aligns with the current attacks on the global banks.
A screenshot shows cyber criminals stealing data from a bank network. Hackers have breached the global banking system and currently hold high-level access. (Courtesy of Ed Alexander)
The above screenshot allegedly shows the cyber criminals stealing data from a banking network. Alexander said it shows them running a command in a remote host outside the security domain of the bank, and suggests the hackers accessed the data without having direct login credentials to the network.
The vulnerability also lets the hackers send commands to the servers remotely. “Remote code execution allowed the attackers to run any command on the system,” Alexander said. “It also facilitated the upload of other malicious files, which provided greater, more permanent access.”
He noted the screenshot merely captures a single moment in the attack. He said after the hackers ran the command that displayed the data shown in the screenshot, they ran another command that allowed them to tamper with the files and steal data from the system
A screenshot shows cybercriminals manipulating the back-end database system of a banking network. (Courtesy of Ed Alexander)
The above screenshot was the result of the cybercriminals trying to prove they could manipulate back-end database systems on the banking network, which allows them, according to Alexander, “to effectively change credit limits on various card types.”
By changing the limits on the credit cards, the cybercriminals would be able to steal large amounts of money through fraudulent credit card transactions.
“The important thing here is that the attackers had access to the back-end databases and could easily manipulate, change, or destroy the data records and settings of UniTeller at will,” he said.
He said the screenshot was taken on May 26, but noted the March 2 timestamp suggests the cybercriminals could have been altering the system for close to three months.
A screenshot shows the time of the cyberattacks on a critical banking system, and shows the hackers successfully running an exploit on the network. (Courtesy of Ed Alexander)
Alexander said the above screenshot was the result of the cybercriminals showing proof of the time, date, and level of access they had gained to the banking system.
He noted that “along with the date, there was a screenshot returned of the system name string (uname -a command), its IP configuration data (ifconfig command) and a copy of the local password file to that particular server (/etc/passwd).”
A screenshot shows cybercriminals with “root” access to a major financial system. (Courtesy of Ed Alexander)
The above screenshot shows the cybercriminals with “root” (administrative) access to the banking server. It also shows files and directories, which the cybercriminals were allegedly modifying when the screenshot was taken.
“Additionally, it is important to remember again, that the vulnerability being used here was run outside UniTeller’s security domain,” Alexander said. “Thus, the attackers were remotely executing code on that server, as they claimed.”
The above screenshot shows a directory and file structure, which Alexander said was provided by the cyber criminals to show they were able to move between directories.
The cyber criminals were interested in this particular directory, he said, since they claimed it allowed them to access a U.S. bank that UniTeller has a relationship with.
He said this screenshot was also important since the cyber criminals had previously demonstrated “that they had full credentials to UniTeller’s systems and services and had the ability to change them at will.”
He also states that this is only a snapshot in time of a significant cyber crime that is currently in process.
Ref Post: theepochtimes