It turned out to be a busy week in SOCs all across Poland. About a week ago, one of the banks detected strange malware present in a few workstations. Having established basic indicators of compromise, the information was shared with other banks, who started asking their SIEMs for information. In some cases the results came back positive.
Preliminary investigation suggests that the starting point for the infection could have been located on the webserver of Polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious payloads on selected targets.
While we have no idea of attackers motivation, so far we have no knowledge of any direct financial losses incurred by banks or their customers due to this attack. What is more troubling, some of the victims were able to identify large outgoing data transfers.
While this should not come as a surprise, this incident defines the statement “you are going to get infected”. Polish financial sector has some of the best people and tools in terms of security and still it looks like the attackers achieved their objectives to breach it without major hurdles. On the good side – they were detected and once notified banks were able to quickly identify infected machines and suspicious traffic patterns.