Today's AppSec News: Bangladesh Bank Hack, NJ Town Victim of Ransomware

Eric Seymour By Eric Seymour
March 21, 2016

In today’s news, we have an interim investigative report on the Bangladesh Bank hack, a flaw discovered in Apple’s iMessage encryption, the town of Plainfield N.J. gets targeted in a ransomware attack, research finds 24 vehicle keys vulnerable to unlocking, and Google has made its binary code analysis tool BinDiff free for security researchers.

The Investigation Continues on the Bangladesh Bank Hack; SWIFT Advises Banks on Security Practices

An interim report is being prepared by FireEye and World Informatix, which were both hired to investigate the Bangladesh Bank hack in February, and offers a glimpse into how cybercriminals can use banks’ systems against them. 

In early February, hackers breached Bangladesh Bank and attempted to steal $951 million from its account at the Federal Reserve Bank of New York; however, only $81 million was transferred to accounts in the Philippines and another $20 million to Sri Lanka.

The interim report said that hackers deployed malware on servers housed at the central bank to make the payments seem genuine. They also sought to cover their tracks by deleting computer logs as they went.

“Malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers,” the interim report said. “The security breach of the SWIFT environment is part of a much larger breach that is currently under investigation.”

In addition, SWIFT, the cooperative and messaging system owned by 3,000 global financial institutions, has announced its plans to ask banks to make sure they are following recommended security practices. SWIFT staff will also begin calling banks to highlight the importance of reviewing security measures after the attack in Bangladesh, a spokeswoman said.

SWIFT has not said much about the attack; except that it was related to “an internal operational issue” at Bangladesh Bank and that there was no compromise in its core messaging system.

This news was covered by Fortune, Bloomberg, Reuters and DarkReading.

Researchers Find Flaw in Apple’s iMessage Encryption

A group of researchers at Johns Hopkins University have found a bug in Apple’s encryption that allows an attacker to decrypt photos and videos sent through iMessage.

To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo. The researchers guessed one of the key’s digits and sent it to the phone. They repeated this process until the full key was obtained. With the key, the team was able to retrieve the photo from Apple’s server without the user knowing.

This specific flaw in the messaging platform would likely not have helped the FBI pull data from the iPhone that belonged to the shooter in the San Bernardino terrorist attack, “but it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers,” said Matthew D. Green, a computer science professor at Johns Hopkins University who led the research team.

This news was covered on Motherboard, Ars Technica and The Washington Post.

Plainfield, N.J. Targeted in Ransomware Attack

The town of Plainfield, N.J., was the latest victim of a ransomware attack. Officials said that hackers got in when someone was researching grants on the Internet, and then employees of the Mayor’s office were locked out of their own files. The attackers said they would release the files, but only if the city paid 650 euros in bitcoin. However, when the city turned to law enforcement, the hackers vanished.

An FBI special agent noted that ransomware is a growing threat. “Success breeds more activity,” he said. In a nine-month period in 2014, the FBI received 1,838 complaints about ransomware, and it estimated that victims lost more than $23.7 million. The next year, the bureau received 2,453 complaints and victims lost $24.1 million.

This news was covered in The Washington Post.

Research Finds 24 Car Models Open to Unlocking

A group of German vehicle security researchers at the firm ADAC has released new research about a wireless car key hack. ADAC researchers performed a radio “amplification attack” on dozens of cars that “silently extends the range of unwitting drivers’ wireless key fobs to open cars and even start their ignitions,” reported WIRED. The research found that 24 vehicles from 19 manufacturers were all vulnerable, allowing them to both unlock and drive the targeted vehicles.

“This clear vulnerability in [wireless] keys facilitates the work of thieves immensely,” reads a post in German about the researchers’ findings on the ADAC website. “The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner.”

This news was covered in WIRED.

Google Makes Its Security Tool BinDiff Free

Google announced that its binary comparison tool BinDiff can now be downloaded by security researchers for free. BinDiff uses a graph-theoretical approach to compare disassembled code. Researchers use BinDiff to analyze multiple versions of a binary to identify vulnerabilities in patches released by vendors. The tool has also been used to analyze malware. Researchers and engineers can now download BinDiff 4.2 for both Linux and Windows for free from the Zynamics website. This move by Google puts a valuable reverse engineering tool in the hands of more security researchers.

This news was covered on InfoWorld and SecurityWeek.

Eric manages global public relations at Veracode. In this role, he manages all facets of the company’s PR efforts. He brings more than 13 years’ experience in the industry. Prior to Veracode, Eric ran public relations activities for CyberArk across the US, EMEA and APJ.