Ugandan banks which were targeted in the sim-card fraud, leading to the theft of about Shs 5bn this past week, ignored an ‘information security vulnerability alert’ issued by a government agency, Chimp Corps exclusively report.
“A North Korean group known as BuggleBoys is targeting financial sectors across the globe using a Remote Access Tool (RAT) malware for exploiting weak network and system defenses,” a warning issued by government’s cyber team, Cert, said in an advisory to financial institutions in the country on September 7, 2020.
Stanbic Bank Uganda, MTN Uganda and Airtel Uganda said in a joint statement to the public and their customers that on Saturday 3 October 2020, a “third-party service provider experienced a system incident which impacted Bank to Mobile Money transactions.”
All Bank to Mobile Money/Wallet services were subsequently suspended.
The telecoms and Stanbic bank said “this system incident has had no impact on any balances on both Bank and Mobile Money accounts.”
However, the truth is that money was lost when fraudsters hacked into aggregator company, Pegasus and authorised banks to release the money to ‘cloned’ sim-cards which was quickly picked from agents across the country in a shocking heist.
For example, Stanbic is said to have lost close to 3 billion between Friday and Sunday last week. Bank of Africa and Equity Bank are said to been affected too.
Pegasus has for years developed solutions, including mobile money aggregation, mobile payments and remittances, loans and savings, software development and value added services such as SMS, airtime and data loading.
Its flagship product, PegPay payments platform, is currently being used by several institutions including banks, telecoms and utility companies such, retailers, Pay-Tv providers’ and schools, to aggregate and manage financial transactions for both internal and external purposes.
ChimpReports has learned that less than a month before the hacking, Uganda National Computer Emergency Response Team (Cert.Ug) issued an information security vulnerability alert warning financial institution of a possible attack by cyber fraudsters.
The note indicated the target as financial Sector (Including; Banking, Fintech, Microfinance, Investment Firms, Insurance Companies, Mobile Money, Money Transfer, Money Exchange etc.).
Cert, which is run by government’s finest tech gurus, emphasised that the risk rating was “HIGH” due to the “attack techniques used.”
The government said the goal of the BuggleBoys is to “plant backdoors in financial institutions networks to steal credentials, capture screen activity and log keystrokes.”
The impact, according to Cert was that “the malware is used as a reconnaissance tool and has the ability to steal credentials for critical systems as well as maintain the attacker’s presence on the network through a backdoor. This can potentially allow the attacker to perform multiple attacks on a target institution with a primary objective of stealing enormous amounts of money.”
Cert further emphasised that, “The group behind the financial sector targeted attacks in purely financially motivated.”
To prevent or mitigate the impact of compromise, Cert advised financial institutions to strengthen e-mail security and undertake periodic user awareness and training on the dangers of email phishing.
Financial institutions and telecoms were told to ensure “strong network security controls” are “implemented and existing ones should be enhanced.”
Endpoint security was to be updated continuously.
Police are trying to establish the masterminds of the cyber-attack. It remains to be seen if the BuggleBoys were behind the scam.
What we know is that under the mobile money aggregation solution, PegPay of Pegasus is able to collect money through a USSD, mobile application or web application.
Organizations are also able to effect payments to their end user beneficiaries, either using the Pegasus platform or through their own platforms after being integrated with an Application Programming Interface (API).
The mobile payments and remittances solution on the other hand enables organizations to effect mobile payouts in bulk.
If this platform is compromised, organisations can be duped to send money to wrong recipients.
Preliminary information obtained by this website indicates that Pegasus is very good at innovation but it seems they were outsmarted by hackers on the security aspects.
“Pegasus officials are former programmers who did online payment innovations of aggregation. There could have been a problem with management of their teams,” said a source who’s informed about the fraud.
Investigators suspect a former or disgruntled employee of Pegasus could have been part of this cyber fraud.
“All frauds that have happened at banks on these online payments system are traceable back to the aggregators,” said a source, who preferred anonymity to speak freely.
“One particular one I know chaps were nabbed after a forensic audit. They were former employees of an aggregator who created a chain and involved telecom engineers. It’s that bad.”
Fredrick Tumusiime, one of the victims of the fraud, said he approved a Shs 65,000 VISA transaction on Saturday afternoon.
“The SMS and email from the bank indicated Shs 6.5 million,” said Tumusiime, emphashsing, “There’s a big problem we’re not being told.”
“How is 100 times possible? The money is now hanging somewhere. Unavailable,” wondered Tumusiime
Officials told ChimpReports that since most of the banking infrastructure is owned by the banks, most times, they will struggle to let someone else in and also, they wouldn’t want to admit an attack.
Most of the cyber-attacks go unreported, undermining efforts to counter this serious problem.
National Information Technology Authority (NITA) is said to be working through Uganda Bankers Association to allow banks utilize some of the facilities owned by government and also is dealing with some of them directly.
Some services being offered by NITA include the ICT forensic lab which was recently upgraded.
“I think the issue mostly is when there is no continuous improvement on the controls. It’s not the systems but rather the controls. Because these hackers get smarter every day,” said an IT expert who preferred anonymity a he is not authorised to speak to the media.
The financial services sector have since been told to make use of Computer Emergency Response Team (CERT) and forensic services.
Financial Intelligence Authority (FIA) boss Sydney Asubo recently warned about the financial sector volatility and terrorist financing, saying wrong groups were using illicit means to raise funds.
How cloning helps in cyber fraud
The cloning attack uses smart card copying software to carry out the actual duplication of the SIM card, thereby enabling access to the victim’s international mobile subscriber identity (IMSI) and master encryption key.
Since the information is burnt onto the SIM card, physical access to it is a requirement.
That means taking the SIM card out of the mobile device and placing it into a card reader that can be attached to a computer where the duplication software is installed.
In this case, over 2,000 cloned sim-cards were used.
SIM cards can also be hacked remotely if the attacker can abuse over-the-air (OTA) communication to break the encryption that protects updates sent to the SIM via SMS.
After the initial stealthy SIM replication takes place, the attacker inserts that SIM into a device they control. Next, the victim has to be contacted.
The ruse may begin with a seemingly innocuous text message to the victim asking them to restart their phone within a given period of time. Then, once the phone is powered off, the attacker starts their own phone before the victim restarts and, in doing so, initiates a successful clone followed by an account takeover.
Once the victim restarts their phone, the attack is complete, and the attacker will have successfully taken over the victim’s SIM and phone number and can use it even for mobile money transactions and calls.
Though the techniques are different, the end result of SIM cloning is the same: a compromised mobile device. Once this happens, the victim’s device can no longer make calls or send and receive text messages. All phone calls and text messages are delivered to the new device associated with that SIM — the attacker’s phone. The attacker in turn can use the acquired SIM for a variety of malicious purposes.
Why Would Attackers Want your Phone Number?
Once a SIM is cloned, threat actors can potentially gain access to the victim’s account information, financial information and personally identifiable information (PII).
Many sensitive accounts, including banking applications, use SMS or a call as part of their multifactor authentication (MFA) formats. By hijacking the victim’s phone number, the attacker can now log in to these accounts even without a password.
Cert has since advised financial institutions to monitor network hosts for vulnerabilities and insecure protocols/services, adding, “network segmentation should be adopted to isolate critical network segments and threat detection tools should be implemented to identify and stop cyber-attacks.”