Banrisul Website Taken Over By Hackers, SSL Helped Mask The Attack.
Dmitry Besthuzhev and Fabio Assolini from Kaspersky Lab presented their investigation of an attack against a Brazilian bank, Banrisul, at this week’s Security Analyst Summit, a conference organized by Kaspersky and held in St. Maarten (presentation not available online).
They described the attack as “a bad guy’s dream coming true.”
In October 2016, the Brazilian bank’s website was entirely taken over by hackers for one afternoon. The attackers had totally compromised the bank’s DNS, rerouting and intercepting traffic from all 36 of the bank’s domains, including their online banking and point-of-sale transactions. In addition to phishing the customer’s credentials and activity, the attackers also distributed malware to visitors.
Wired summarized the attack:
“Absolutely all of the bank’s online operations were under the attacker’s’ control for five to six hours,” says Dmitry Bestuzhev, one of the Kaspersky researchers who analyzed the attack in real time after seeing malware infecting customers from what appeared to be the bank’s fully valid domain. From the hackers’ point of view, as Bestuzhev puts it, the DNS attack meant that “you become the bank. Everything belongs to you now.”
Kaspersky did not reveal what bank was attacked. However, thanks to certificate transparency records, we can easily identify the bank by comparing issued certificates to the details Kaspersky did disclose.
The target was Banrisul, a major bank in Southern Brazil with over $25 billion in assets and 500 branches. According to Kaspersky, the bank has yet to disclose the attack. These were the two certificates issued by the attackers.
SSL Certificates Used in Major Bank Hack
The attackers used certificates from Let’s Encrypt to make the take-over look more legitimate. This allowed them to serve HTTPS pages, which users should be looking for when logging into a bank, and control the keys needed to decrypt the data.
In this scenario, where an attacker controls your DNS, the attacker can easily request and confirm certificates. From a CA’s perspective, you are the owner of that host at that time, and issuing a certificate would compliant with industry standards. Most CAs would have done the same exact thing.
However, Let’s Encrypt has obviously become a popular tool for criminals because of its free certificates which makes it easy to use the service anonymously, and their policy against flagging or blacklisting high-risk requests.
To the average user, they were on the right website, with an HTTPS connection, and everything looked the same. How could they have possibly known that an attacker had fully hijacked the site?
An unrealistically-cautious and tech-savvy user could have noticed something was wrong by looking at the DNS records or noticing that the site had suddenly switched CAs. But with such a perfectly executed attack, nothing would have spurred a user to check those details.
How could the bank have protected itself? For starters, better control and oversight of their DNS is crucial. Assolini noted that the bank did not use the two-factor authentication option available from the DNS provider, which would have made it significantly more difficult to take over the account.
Banrisul could have also strengthened their HTTPS configuration. HTTP Public Key Pinning (HPKP) is an optional security feature for SSL/TLS that is implemented as an HTTP Header. It allows a website to provide clients with a set of public keys that are authorized for HTTPS connections. If a client connects to the site in the future and receives a different key, it will refuse the connection.
HPKP is one of the more difficult security measures to set up, because it can backfire if it’s configured improperly or if your keys are poorly managed. However, it also protects websites in this exact scenario where a hostile attacker controls your network and can issue certificates in your name (or downgrade to HTTP), or when a CA mis-issues a certificate. Users who had previously visited Banrisul’s website (which would have been the majority of their customers) would have been protected from this attack if HPKP was deployed.
Certificate Authority Authorization (CAA) is another measure intended to protect websites from hostile issuance. It allows a domain to choose what CAs may issue certificates for them, which each CA checks before issuing a certificate for said site. But CAA is set as a DNS record, and in this case, the attackers may have been able to circumvent this protection even if it had been used.
Users should know something is wrong when a site handling sensitive data (like a bank, or email service) isn’t using HTTPS. Criminals have clearly caught onto this, and are taking the extra time to mask their attacks with SSL certificates. As the internet moves towards HTTPS, it’s clear that major sites will need to go further than just deploying HTTPS in order to protect themselves from sophisticated attacks such as these.