The recent Polish Bank attack was a part of new wave of attacks that has targeted Financial Organizations in 31 Countries. The attackers used compromised websites to infect pre-selected targets, technically known as “watering hole” attack.The malware hit Polish Bank targeted more than 100 financial organizations.However, there is no evidence of funds stolen from any infected banks.
The attacks came into light when Polish Bank discovered that they had hit by malware sent through financial regulator website. Many other financial institutions confirmed that they too had been compromised when Polish Bank shared indicators of compromise.According to Symantec, these targeted attacks start from October 2016, and Symantec blocked attempts to infect customers in Poland, Mexico, and Uruguay by the same customized exploit kit that infected the Polish banks. The customized exploit kit is pre-configured only to infect visitors from approximately 150 different IP address. These targeted IP addresses are owned by 104 different organizations spread over 31 different countries around the world.The malware used in the attacks which are not identified previously was Downloader.Ratankba. Its objective is to download other malicious programs that can accumulate information from the infected system. The threat group Lazarus can be linked with these attacks as there are some common codes between Downloader.Ratankba and malware which are previously used by Lazarus, but not confirmed. Lazarus largely focused on the US and South Korea with aggressive attacks since 2009. Lazarus involved in high-level financial attacks before, and there is a close link discovered between Lazarus and the cyber attack that stole $81 million from Bangladesh’s Central Bank.There is a series of high profile attacks going against banking sectors since 2016. This latest attack alerts us about growing range of threats facing financial institutions day by day. Symantec stated in the blog. "The vast majority of organizations that face recent targeted attacks are financial institutions, with a very few number of telecoms and internet firms also on the list."
How to prevent watering hole attacks?
- Watering Hole attack takes place through trusted third party websites. All third-party traffic must be treated as untrusted until otherwise verified. It should not imply if content comes from a partner site or even a government websites.
- There should be proper protocol for employees, who use personal devices for work-related activities which make watering hole attack worse.
- Organizations should inspect incoming traffic even the websites are SSL encrypted, regardless of device or location.
- Organizations should use advanced threat protection such as behavioral analysis since traditional signature-based approaches are less likely to be effective.
- Examine the security patch installation status, and make sure that all critical patches are installed and maintained in an organized manner, with necessary precautions.
- Run vulnerability scanning to ensure that no significant gaps exist.
- Always keep an eye on network traffic. The traffic created by the final malware when communicating with the command-and-control servers remains consistent, even though attackers may incorporate different exploits in their attack. By detecting these communications, organizations can readily implement security measures to prevent the attack from further escalating
- Collect any further threat intelligence about the particular attack, and review the relevant areas, and address the gaps on an emergency basis.
Disclaimer:
Secure Reading has no confirmed sources for the information shared in the above news/articles. It relies on various unconfirmed inputs, social media claims, and websites for its content, and cannot guarantee the accuracy, timeliness, and genuineness of the same. If there is any error in the news, and once it is brought up to our attention with relevant evidence, Secure Reading is willing to make necessary corrections as applicable.