| Recurring |
multiple_organization |
(a) The software failure incident related to the DNS hijacking attack on a Brazilian bank is a unique case described by Kaspersky researchers as unprecedented in terms of wholesale bank fraud [50537]. This incident involved hackers rerouting all of the bank's online customers to fake websites, stealing login credentials, redirecting transactions, and even compromising email communication. The attack resulted in the hackers gaining complete control over the bank's online operations for several hours, leading to potential theft of sensitive customer information and financial data.
(b) The article mentions previous incidents involving DNS attacks, such as the Syrian Electronic Army altering the DNS registration of The New York Times and the Mirai botnet attack on the DNS provider Dyn [50537]. These incidents highlight the vulnerability of DNS infrastructure to malicious attacks and the potential for widespread disruption across various organizations and services. The Brazilian bank attack, although unique in its scale and impact, underscores the broader threat posed by DNS hijacking and the need for enhanced security measures to protect against such attacks. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident in the article can be attributed to the design phase. The incident involved a sophisticated attack where hackers rerouted all of a Brazilian bank's online customers to fake websites by changing the Domain Name System (DNS) registrations of all 36 of the bank's online properties. This allowed the hackers to steal login credentials and even redirect transactions at ATMs or point-of-sale systems to their own servers, collecting credit card details. The attackers compromised the bank's account at Registro.br, the domain registration service of NIC.br, which managed the DNS for the bank, enabling them to change the registration for all of the bank's domains simultaneously [50537].
(b) The software failure incident can also be linked to the operation phase. During the attack, the bank lost control of its domains for around five to six hours, leading to a complete takeover by the hackers. The bank was unable to send emails to customers to alert them about the incident, indicating a disruption in normal operations. Additionally, the spoofed websites not only engaged in phishing but also infected victims with malware that harvested various credentials and disabled antivirus software. This operational failure resulted in a significant impact on the bank's ability to communicate with customers and maintain the security of its online operations [50537]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident described in the article is primarily due to contributing factors that originate from within the system. The hackers were able to hijack a major Brazilian bank's entire internet footprint by changing the Domain Name System (DNS) registrations of all 36 of the bank's online properties, redirecting users to phishing sites and collecting sensitive information. The attackers compromised the bank's account at Registro.br, the domain registration service, and managed to change the registration simultaneously for all of the bank's domains, redirecting them to servers they controlled. This internal system vulnerability allowed the attackers to essentially take over the bank's online operations for several hours, leading to a complete loss of control over their digital assets [50537].
(b) outside_system: The software failure incident also involved contributing factors that originated from outside the system. The attackers exploited the vulnerability in the bank's DNS, which is a crucial protocol running under the hood of the internet. By altering the DNS records, the hackers were able to redirect visitors to lookalike sites and even obtain valid HTTPS certificates issued in the name of the bank. Additionally, the attackers hosted a command-and-control server in Canada to collect the stolen information, indicating external involvement in the attack. The incident highlights the importance of considering external threats to the security of DNS and the potential impact of such attacks on organizations [50537]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
The software failure incident in the article was primarily due to a DNS redirect attack orchestrated by hackers targeting a Brazilian bank. The attackers changed the Domain Name System registrations of all 36 of the bank's online properties, redirecting users to phishing sites and essentially hijacking the bank's entire internet footprint. This attack allowed the hackers to steal login credentials, redirect transactions at ATMs and point-of-sale systems, and even infect victims with malware disguised as a security update [50537].
(b) The software failure incident occurring due to human actions:
The software failure incident also involved human actions as the attackers compromised the bank's account at Registro.br, the domain registration service of NIC.br. With this access, they were able to change the registration for all of the bank's domains simultaneously, redirecting users to fake websites. Additionally, the attackers may have been Brazilian themselves, as the malware included scraps of Portuguese language [50537]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident reported in the articles was primarily due to contributing factors originating in software rather than hardware. The incident involved hackers targeting a Brazilian bank by rerouting all of the bank's online customers to fake websites, stealing login credentials, redirecting transactions, and infecting victims with malware disguised as a security update. The attack exploited vulnerabilities in the bank's Domain Name System (DNS) registrations, allowing the hackers to take control of the bank's internet footprint and conduct fraudulent activities [Article 50537]. The incident showcases how software vulnerabilities, such as DNS hijacking and malware distribution, can lead to significant security breaches and financial losses. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The objective of the software failure incident was malicious. The incident involved hackers who targeted a Brazilian bank by rerouting all of the bank's online customers to fake websites where the customers unknowingly handed over their account information. The hackers changed the Domain Name System registrations of all 36 of the bank's online properties, essentially hijacking the bank's entire internet footprint. They redirected users to phishing sites and potentially collected credit card details from ATM and point-of-sale transactions. The attackers compromised the bank's account at Registro.br, the domain registration service, to change the registration for all of the bank's domains simultaneously. The incident involved phishing schemes, malware distribution, and control over the bank's digital assets, demonstrating a clear malicious intent [50537].
(b) The software failure incident was non-malicious. There is no information in the articles to suggest that the failure was due to contributing factors introduced without intent to harm the system. |
| Intent (Poor/Accidental Decisions) |
unknown |
(a) The intent of the software failure incident was not due to poor decisions but rather a sophisticated and deliberate attack by hackers targeting a Brazilian bank. The hackers rerouted all of the bank's online customers to fake websites to steal account information, indicating a well-planned and malicious intent [50537]. |
| Capability (Incompetence/Accidental) |
accidental |
(a) The software failure incident in the article was not due to development incompetence. The incident was a result of a sophisticated cyberattack where hackers rerouted all of a Brazilian bank's online customers to fake websites to steal account information. This attack involved DNS hijacking, phishing, malware distribution, and redirection of ATM and point-of-sale transactions to the attackers' servers. The attackers even had valid HTTPS certificates issued in the name of the bank to make the fake websites appear legitimate [50537].
(b) The software failure incident in the article was accidental. The incident was a result of a targeted cyberattack where hackers compromised the bank's account at NIC.br, the domain registration service, and managed to change the DNS registrations for all of the bank's domains. This accidental compromise allowed the attackers to redirect users to fake websites, leading to the theft of login credentials, credit card details, and other sensitive information. The attack was not intentional but rather a result of vulnerabilities in the DNS system and potential social engineering attacks [50537]. |
| Duration |
temporary |
The software failure incident described in the article was temporary. The hackers were able to reroute all of the bank's online customers to fake websites for a period of five to six hours on October 22 of the previous year [50537]. During this time, the attackers had complete control over the bank's online operations, including redirecting users to phishing sites and potentially collecting credit card details from ATM and point-of-sale transactions. The incident was resolved when the bank regained control of its domains, likely by correcting the DNS registrations [50537]. |
| Behaviour |
value, other |
(a) crash: The incident described in the article does not involve a system crash where the system loses state and stops performing its intended functions. Instead, the attackers successfully rerouted all of the bank's online customers to fake websites to steal account information without causing the system to crash [Article 50537].
(b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). The attackers actively redirected users to phishing sites and collected sensitive information, indicating a deliberate action rather than an omission [Article 50537].
(c) timing: The incident does not involve the system performing its intended functions correctly but too late or too early. The attackers were able to hijack the bank's online operations for five to six hours, indicating a timely execution of their malicious activities [Article 50537].
(d) value: The incident does involve the system performing its intended functions incorrectly. The attackers successfully redirected users to fake websites, stole login credentials, and even redirected ATM and point-of-sale transactions to their servers, collecting credit card details. This indicates a clear case of the system performing its functions incorrectly to the benefit of the attackers [Article 50537].
(e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. The attackers' actions were coordinated and focused, leading to a successful hijacking of the bank's online operations without erratic behavior or inconsistent responses [Article 50537].
(f) other: The behavior of the software failure incident can be categorized as a sophisticated and comprehensive attack involving DNS hijacking, redirection of users to phishing sites, collection of sensitive information, and potential long-term malware persistence. This behavior goes beyond a simple crash, omission, timing issue, or byzantine behavior, showcasing a well-planned and executed cyberattack with significant implications for the targeted bank and its customers [Article 50537]. |