Banco de Chile victim of a devastating wiper attack, money allegedly stolen

On May 24 computers in Banco de Chile offices and branches suddenly rebooted and changed screen colour to black. Local media outlets reported  that bank branches cannot operate due to broken workstations. Banco de Chile was quick to acknowledge issues and recommended using online and mobile banking, which operated without interruption.

The bank did also issue a formal statement to inform its customers that their fund were safe.

Incident analysis

We decided to look deeper into this incident and quickly identified a blog post on which did include a picture of a computer screen in bank’s offices.

Looks like something destroyed the MBR and computers cannot boot. After a few days of research we were able to confirm that around 10,000 Windows computers and servers were destroyed by a very simple piece of malware. We were able to identify a post on a Chilean forum, where one of the users published a chatlog with someone claiming insider knowledge, mentioning 9000 PCs and 500 servers destroyed by the attack throughout Chile.

Banco de Chile did confirm it was a virus attack, but did not provide any further explanation of the circumstances of the incident.

Trend Micro did publish a nice analysis of the file responsible for the data destruction. Based on the information we were able to gather so far, the malicious file is a really simple tool – it just damages the MBR and reboots the computer. It was allegedly deployed via an antivirus update mechanism.

Money stolen?

Why would anyone just destroy thousands of bank’s workstations? While we kept looking for further clues we did find an interesting tweet by a local journalist claiming USD 11 million was stolen from the bank at the same time the wiper destroyed the workstations.

While the journalist claims it could have been an inside job, we also found out that allegedly some artefacts of a well know Lazarus toolset were identified in bank systems. Trend Micro believes that a wiper variant was connected to the foiled heist in Mexico in January. We have no knowledge about the connection between the alleged unauthorised transfers and wiped workstations, but those two incidents could have something in common. The investigation continues and we hope to learn more in the future.

Alleged wiper file analysis on VT

Plug-ins for Shops Handling Przelewy24 with Critical Security Gaps

What can be worse than a leaky plug-in? Perhaps many leaky plug-ins supplied by one supplier, installed in several places and responsible for handling of financial transactions.

Continue reading “Plug-ins for Shops Handling Przelewy24 with Critical Security Gaps”

Errors, threats and extortion – history of a bank hack part three

This is the epilogue in the Polish bank heist story, where one of the hackers gets caught by the police.

The Polish police never ceases to surprise. Another administrator of ToRepublic forum was detained by the police. This time it was Polsilver, who six months ago stole money from Plus Bank. Continue reading “Errors, threats and extortion – history of a bank hack part three”

Errors, threats and extortion – history of a bank hack part two

In this episode of the Polish bank heist we describe the actions taken by criminals after the bank they hacked refused to pay the ransom they requested.

The ultimatum presented to Plus Bank, robbed by criminals, has elapsed. The burglar, who apparently has not received the ransom, has published data of hundreds of business accounts of Plus Bank customers. Continue reading “Errors, threats and extortion – history of a bank hack part two”