Case Summary [Case 4]
Latar Belakang:
Bank Nexus adalah salah satu bank besar di Indonesia yang menyediakan berbagai layanan perbankan untuk nasabah individu dan korporat. Pada tahun lalu, Bank Nexus mengalami serangan ransomware yang signifikan yang mengakibatkan gangguan operasional besar dan kerugian finansial yang cukup besar. Kasus ini bertujuan untuk menganalisis insiden tersebut, mengidentifikasi kerentanan, dan memberikan rekomendasi untuk mencegah kejadian serupa di masa depan.Tujuan Analisis:
Analisis ini bertujuan untuk mengevaluasi insiden ransomware yang dialami oleh Bank Nexus, mengidentifikasi titik lemah dalam sistem keamanan mereka, dan memberikan rekomendasi untuk meningkatkan postur keamanan siber bank guna mencegah serangan serupa di masa depan.
Read more at : https://s3.encrypt0r.my.id/ctia-1/case4.pdf
*) Disclaimer: This intelligence report are used for educational purposes only
*) Mirror: https://blog.encrypt0r.my.id/ctia-1
Threat Definition
Ransomware attacks are a significant cybersecurity threat involving malicious software that encrypts a victim’s data. Traditionally, ransomware focused solely on encrypting victims data, but modern variants have evolved to include threats of leaking personal or business information (e.g., identity numbers, addresses, passwords, business plans, etc.). The primary motive behind ransomware attacks is financial gain. Attackers demand a ransom from the victim in exchange for decryption keys or to prevent the public release of the stolen data. But financial gain are not the only motives, ransomware can also used for Ideology and Political moves for exchange of nation or organizational actions. Since the target is a Banking organization, threat actor can be an individual hacker and cyber-criminal gang with the financial gain motives.
Risk Analysis
With the outstanding vulnerability that Nexus Bank have, we’ve analyzed that threat actor may leverage this vulnerability:
- Phishing Susceptibility
Threat actor could send a malicious phishing email that contains malware or any fake pages to gather employee data. This type of threat are likely could be happening, since human are the weakest chain of security. - Backup Strategy
Since this organization doesn’t isolate the backup server threat actor may encrypt this backup file that affecting the DRP (Data Recovery Plan). This type of threat may happen if adversaries already have an initial access to the network. - Patch Management
Many third-party application are affected by unknown exploit (zero-day) that unreported, or there’s ongoing patch. if systems are not updated frequently, this can help threat actor to exploiting our systems easily. This threat somewhat could be happen, depends on the third-party software that company used. - Low Employee Discipline and Oversight
May be used by the threat actor to gain an initial access to the systems and this threat could support any breach to be possible.
With four outstanding vulnerability above, there are potential impact, such as:
- Financial
Organizations will incur both direct and indirect losses. Examples of direct losses include the payment of the ransomware decryption key, while examples of indirect losses include recovery costs, data loss, and security expenses. - Reputation
Because this company operates in the banking sector, customer trust is the most important commodity, so a ransomware incident like this can reduce customer confidence in Nexus Bank’s ability to protect customer data and assets. then negative publications from the media will damage the image of Nexus Bank in the eyes of the public and business. - Operation
Ransomware that encrypts banking data has the most significant impact, as this threat can disrupt business processes, including customer transactions, data processing, and online services. Additionally, the recovery process from such a ransomware attack can be time-consuming and significantly disrupt operations.
Tactics and Techniques
- Phishing [T1566.001, T1566.002, T1566.003]
Adversaries typically send emails that appear legitimate, often posing as verified institutions or individuals. These emails contain malicious links or attachments that can execute harmful commands on the infected computer. - Malware [T1105, T1486, T1070.004, T1204.002]
Adversaries often deploy malware through a dropper, a malicious program designed to install other harmful components. Traditionally, this malware would encrypt data on the target system, holding it for ransom. However, more recent trends show adversaries increasingly using stealer malware, which is designed to capture and exfiltrate specific, sensitive data such as login credentials, financial information, or proprietary business documents. This shift towards data theft highlights the growing complexity and dual nature of modern cyber threats, where attackers not only disrupt business operations through encryption but also compromise sensitive information. - Vulnerability Exploitation [T1190, T1133, T1021.001, T1071.001]
Adversaries gain initial access by exploiting vulnerabilities in outdated software. Once they have this initial access, they can deploy malicious software and perform lateral movement, spreading from one server to another within the same network, including backup servers. This allows them to infiltrate deeper into the network, potentially compromising critical systems and data across the entire organization. This underscores the importance of regular software updates and patch management to mitigate the risk of such exploits and to safeguard the network’s integrity.
Mitigation and Responses
Mitigations
- Security Awareness
Human resources are crucial in the cybersecurity chain, so the earliest mitigation is to conduct cybersecurity training for all employees with a focus on understanding phishing concepts and good security practices. - Firewall, IDS and IPS
To add a layer of security, a firewall is needed to block unauthorized access to the internal network. Additionally, IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are required to detect and stop attacks before they reach the internal network. - Data Encryption
Apply encryption to sensitive data in both backup storage and transmission over the network to reduce the impact of data theft. - Encrypted and Isolated Backup
Regular backups should be conducted in physically and network-isolated locations to ensure data accessibility. Additionally, backups should also be encrypted to reduce the impact of data theft from backups. - Patch Management
Monitor third-party devices for zero-day exploits. If a vulnerability is discovered and no mitigation steps are available from the third party, the organization can use filtering or reroute services to avoid exploitation from the zero-day. - Least Privilege RBAC
Limit employees’ access to the systems, allowing them to access only the data and applications that necessary for their job.
Detection and Responses
- IDS and IPS
Use IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) to detect and respond to suspicious and malicious network threats in real-time. - Network Monitoring
Conduct network monitoring to detect anomalies in network traffic that indicate attacks, with a priority on detecting ransomware attacks. - Endpoint Detection and Response (EDR)
For enhanced security, utilize EDR to monitor employee endpoints for suspicious or malicious activities. - Threat Intelligence
Leverage threat intelligence services to obtain information on current attack trends and techniques, enabling faster and more effective security planning. - Incident Response Plan
Develop and implement an incident response plan that encompasses identification, analysis, mitigation, and recovery, specifically for ransomware attacks. This plan should include clear protocols for detecting ransomware, assessing the scope and impact, containing the threat, eradicating the malware, and restoring normal operations with minimal disruption. - Forensics
Conduct forensic analysis to identify the initial access points used by adversaries and develop preventative measures for the future. This analysis will help in understanding how the attack was carried out, identifying vulnerabilities exploited, and gathering evidence to improve security defenses. - Strengthen Security Posture
Review and enhance security policies, procedures, and technical controls based on the findings from incidents to prevent future attacks. Regularly update and test these measures to ensure they remain effective against evolving threats. This continuous improvement process is critical in maintaining a robust security posture.
Real case based on this study
Bank Syariah Indonesia (BSI)
Actor: LockBit Gang
Source: https://securityscorecard.com/research/lockbit-claims-ransomware-attack-against-southeast-asian-bank/
Banten Regional Development Bank
Actor: MEDUSA, RansomHouse
Source: https://www.hookphish.com/blog/ransomware-ransomhouse-group-hits-bank-pembangunan-daerah-banten-tbk-pt/ ; https://twitter.com/H4ckManac/status/1772958221075992738
Strategic Insight
- Invest on Detection and Responses solution
Investing in advanced detection and response solutions, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Endpoint Detection and Response (EDR) tools, is crucial for identifying and mitigating threats in real-time. These technologies help in monitoring network traffic, detecting anomalies, and responding promptly to security incidents, thus reducing the potential impact of attacks. - Develop and maintenance internal security team
Building and maintaining a skilled internal security team is essential for robust cybersecurity. This team should consist of experts in various domains, including threat analysis, incident response, and forensic investigation. Continuous training and development ensure the team stays updated with the latest threat landscapes and security practices, enabling them to effectively safeguard the organization’s assets. - Collaborating with the threat intelligent services
Collaborating with threat intelligence services provides access to the latest information on emerging threats, attack vectors, and adversary tactics. By integrating threat intelligence into security operations, organizations can proactively identify and mitigate potential threats, enhance situational awareness, and make informed decisions to strengthen their defense strategies. - Implement the latest security infrastructure (e.g. Zero Trust)
Adopting the latest security infrastructure, such as the Zero Trust model, enhances the organization’s security posture. Zero Trust principles assume that threats can exist both inside and outside the network, requiring verification of every user and device attempting to access resources. This approach minimizes the risk of unauthorized access and lateral movement within the network, ensuring comprehensive protection. - Invest on Security Awareness
Investing in security awareness programs is vital for building a culture of security within the organization. Regular training and awareness campaigns educate employees about the importance of cybersecurity, common threats, and best practices for protecting sensitive information. An informed workforce can act as the first line of defense against cyber threats, reducing the likelihood of successful attacks.
Conclusion
To enhance cybersecurity and prevent future ransomware attacks, Nexus Bank should implement the comprehensive measures outlined in this analysis. In the short term, the immediate adoption of strict patch management policies is crucial. Conducting thorough system audits will ensure that all software remains up-to-date, thereby mitigating vulnerabilities that adversaries could exploit. Additionally, providing cybersecurity training for all employees is essential, with a particular focus on recognizing and preventing phishing emails, which are common vectors for ransomware.
In the long term, Nexus Bank should invest in Endpoint Detection and Response (EDR) solutions to continuously monitor and detect suspicious activities on endpoints, allowing for prompt response to threats. Establishing and training an internal cybersecurity team dedicated to monitoring, detecting, and responding to security incidents will further bolster the organization’s defenses. Collaboration with threat intelligence service providers is essential for staying informed about current threats and attack techniques, enabling proactive threat management.
Additionally, implementing a Zero Trust security model will ensure that every access request within the network is strictly verified, preventing unauthorized access. Developing a continuous cybersecurity awareness program will foster a culture of security within the organization, ensuring that all employees remain vigilant and informed about the latest threats and best practices.
By following these strategic recommendations, Nexus Bank can significantly reduce the risk of ransomware attacks and ensure preparedness for future cyber threats. These steps will help build a stronger and more proactive security posture, safeguarding the organization’s critical assets and data.
Additionally, implementing a Zero Trust security model will ensure that every access request within the network is strictly verified, preventing unauthorized access. Developing a continuous cybersecurity awareness program will foster a culture of security within the organization, ensuring that all employees remain vigilant and informed about the latest threats and best practices.
By following these strategic recommendations, Bank Nexus can significantly reduce the risk of ransomware attacks and ensure preparedness for future cyber threats. These steps will help build a stronger and more proactive security posture, safeguarding the organization’s critical assets and data.