Cyberthieves Bag a Billion in Snail-Speed Bank Heists

Criminals using Carbanak malware have stolen up to US$1 billion from 100 financial institutions in Russia, China, Germany and the United States, Kaspersky Lab has revealed.

The gang is expanding operations to other countries.

Kaspersky has advised financial institutions to scan their networks for intrusion by Carbanak.

Indications include files with .bin extensions, an svchost.exe file, and services ending in “sys” that duplicate a similar service without the “sys” extension in the network, Kaspersky said.

“These are advanced threat actors, and … I’m certain they are working on new techniques as their old tools and techniques are discovered,” Lancope CTO TK Keanini told the E-Commerce Times.

Anatomy of a Carbanak Attack

The cybercriminals sent spearphishing emails with poisoned attachments that exploited vulnerabilities in Microsoft Office 2003, 2007 and 2010 and Microsoft Word. They also mounted drive-by download attacks.

When clicked on, the attachment executed the shell code and installed Carbanak, which is a backdoor based on the Carberp Trojan.

The malware then scouted the infected network, making videos of employees’ activities on the network — particularly sysadmins — and sending them back to the C&C servers. The attackers then went to weak points and installed additional software, such as the Ammyy remote administration tool, or compromised SSH servers.

The attackers have impersonated legitimate users to instruct ATMs to dispense cash, to use the S.W.I.F.T. banking network to transfer money out of the victim institution into members’ accounts, and to manipulate Oracle databases to open accounts at targeted banks or transfer money between accounts.

The attacks took two to four months, in most cases, and infected hundreds of computers within a victim organization.

Gotta Go by the Book

“In one case, a spoofed email was disguised as an email from the CEO requesting a transfer of millions of dollars to purchase a company,” said Stu Sjouwerman, CEO of KnowBe4.

“The email advised it be kept secret to avoid regulatory issues,” he told the E-Commerce Times.

The attack succeeded because “the basic guidelines were not followed handling what was an unusual request,” Sjouwerman pointed out. “Had this been verified as a legitimate request, [the victim] would have avoided [the] loss.”

The compliance guidelines that many institutions follow establish only the minimum requirements and don’t guarantee security, Sjouwerman said.

“The classic security conundrum is that the people who are most senior from a business perspective are also the least likely to accept the inconveniences of proper security,” Jonathan Sander, strategy and research officer at Stealthbits Technologies, told the E-Commerce Times.

Blood on the Tracks

The gang using Carbanak has been active since 2013, mounting attacks that in many cases took several months to carry out — so how is it they have managed to get away with their thefts?

Malware leaves a trace when it compromises a system, but “most of the time that mark goes unnoticed because enterprises haven’t established a baseline, or known good state, and aren’t continuously monitoring for changes to that baseline,” Tripwire CTO Dwayne Melancon told the E-Commerce Times.

The cybergang may move on to smaller institutions, as they have weaker defenses than large banks, Vasco Data Security VP John Gunn told the E-Commerce Times. On the other hand, transferring large sums into and out of smaller institutions is more likely to be detected.

Nothing New Under the Sun

“What hasn’t changed much is the attackers’ M.O.: taking control over the target’s computer systems,” said Igor Baikalov, chief scientist at Securonix.

“The good guys are still one step behind, playing catch-up with the attackers,” he told the E-Commerce Times.

That’s partly because many organizations see compliance as a matter of checking off boxes in a report.

Organizations should implement new techniques such as data-centric security, which “makes stolen data completely useless to thieves,” Voltage Security VP of Product Management Mark Bower told the E-Commerce Times.

They also should train staff on social engineering methods and conduct regular phishing tests, recommended KnowBe4’s Sjouwerman. “Defending against spearphishing is one of the most cost-effective areas to solve.”