Security Weekly 3: Bank robbery on the stream, Hacking of power networks, Localized targeted attack
Bank robbery: Carbanak
- Carbanak is news with the last year’s Security Analyst Summit. Then the researchers of the Laboratory revealed details of a complex attack on financial organizations. The attack differed both in the use of sophisticated tools to penetrate banking networks and in the ability to use banking tools to steal money, so as to leave as few traces as possible. This year we discovered three followers of Carbanak – one of them is clearly the work of the same cybercriminal group, two more are independent operations, with their instruments and methods of attack, but pursuing the same goal: to steal real money.
More details about all three attacks can be read on the links above, I’ll focus on the most interesting details. The organizers of the Metal attack used an extraordinary system of withdrawal of funds: according to the results of hacking into the banking network, they were able to withdraw money from cards and immediately roll back the operation. That is, in fact in the hands of criminals turned out to be “bottomless” credit cards. The key advantage of this approach was the ability to conduct a withdrawal operation in the shortest possible time, with a limited set of cards emptying the ATM at night. The danger of such a method for companies is clear: there is very little time left to respond to and block the actions of intruders. All this is in full accordance with our predictions of the end of 2015 on the evolution of attacks on business. Unlike APT, the threats, in which there is an advanced cracking tool and tactics for a long stay in the victim’s network, new attacks do not necessarily use really complex methods, and the whole operation is not allocated for months, but days, or even hours. Hit and wound.
- The GCMAN grouping for withdrawing funds used the electronic money, and attacked by traditional methods, in particular by sending phishing messages. It is noteworthy to use mostly legitimate programs (Putty, VNC and so on). Finally, the main feature of the Car Bank 2.0 attack was not the methods of hacking, but the expansion of the list of potential victims. Digital “robberies” are no longer limited to withdrawing funds through ATMs or bank account chains: the financial departments of large companies have also been under attack.
How will they actually break down the power grid? Answer Honeypot News.
Researcher Devan Chaudhuri of MalCrawler in his speech on SAS2016 shared an interesting experience of “luring” attackers into a specially created “energy” honeypot. Honeypots are actively used to catch malicious software, and the benefits from them are obvious: instead of a real system, the attacker is substituted with a specially created one, and the features of the attack are clarified without causing any real damage. In the case of a critical infrastructure, everything is more complicated: “emulation” should be as plausible as possible, which means the need to install a specialized management software and pass through it plausible responses to attempts to break down some power plant, while in reality there is no power plant.
- Chaudhuri studied the tactics of attackers, providing in the bait pre-planned vulnerabilities – wrong configuration, open WiFi network and so on. In most cases, the attackers confined themselves to reconnaissance: they pumped out the files that were prudently distributed along the way, tried to map the physical objects to which the attacked system supposedly gives access. But there were also those who were not interested in documents and intelligence – they immediately began to try to take the power system out of order.
How much is it realistic to arrange such methods with the blackout? According to the researcher from MalCrawler, the price of “entry” for those wishing to arrange a sabotage is still high. Citing the example of Stuxnet, Chaudhuri suggests that the main budget of such groupings is not on the “IT” part, but on the analysis of the work of specialized hardware and software. Before trying to crash something, we must very clearly understand how the power grid or similar facility works. In fact, this means building real models, with real hardware, the need to understand the intricacies of customization.
All is well? Not really. Above – in the history of hacking banks – it was also about a specialized software and access to closed information about the methods of operation of financial systems. To conduct an operation to create a “bottomless” credit card, you first need to know how it is done, how not to draw the attention of security systems and security experts in the attacked company. And somehow we managed it. Therefore, the main conclusion from the study of Devan Chaudhury is that there are already those who want to break critical infrastructure objects, right now. Let them while (presumably) are not able to cause serious damage, but obviously, do not wait until they finally learn.
Poseidon. Localized targeted attack with global consequences. News. A blog post. Study.
The Poseidon campaign was named by our experts as a “boutique for creating custom malware”. This explains the complexity of detecting an attack: when a unique or almost unique set of tools is created for each victim, it is very difficult to “combine” individual incidents into a general investigation. Nevertheless, it was possible to do this, probably in part because of the unusual way of monetization: hacking the next company, the organizers of the attacks demanded money from the victim for “services” for “information” “security”. Naturally, the payment of money by the victim did not guarantee anything: in some cases, unauthorized access was retained.
Gathering together all the information about the grouping, the researchers of the Laboratory determined that it operates for a minimum of 10 years, and the earliest malicious code attributed to this campaign is dated to 2001. Accordingly, in the list of targeted attacked systems, even Windows 95 is listed. The most important feature of Poseidon is the geographical localization. Most victims of the campaign are in Brazil. That is, business from other countries can relax? Not really. The group’s attention was attracted to foreign companies either operating in the country or interacting with firms from Brazil. Victims were found in the United States, Russia, Kazakhstan, India and other countries. Total: a criminal campaign that creates targeted hacking tools for each attack, again without super-advanced techniques and code, but successfully working for more than 10 years.
What else happened:
Another study by Lab specialists on the Security Analyst Summit: the cross-platform backdoor Adwind on Java. Adwind is a representative of the rapidly growing market of cybercriminal services: the authors of the backdoor sell it “for inexpensive” to everyone, and usually, such a malware-on-demand is used to attack users. But in this case, we found attacks on companies, so with the example of Adwind you can assess the potential of targeted attacks even on small businesses: access to such hack tools costs literally a penny.
The next fake anti-virus for Mac OS X would not be anything special, if not for one thing: this scareware instance was signed by a legitimate developer certificate, and accordingly the Gatekeeper’s built-in defender in Mac OS X does not notice it.