A hacker group made off with as much as $1 billion from 100 banks in 30 countries by distributing a remote backdoor via spear phishing emails to bank employees, according to a report from Kaspersky Lab.
The same gang that breached Staples last fall may be behind this ruse, which researchers have dubbed Carbanak, reports have said. Security firm Fox-IT has drawn comparisons between the malware used in the Carbanak campaign and the trojan leveraged in the Staples breach, called Anunak, leaving many to believe the malware used in both campaigns could be the same.
The Kaspersky Lab research was disclosed at the company’s Security Analyst Summit in Cancun, Mexico on Monday.
Based on information gathered from its own research in addition to info from law enforcement agencies including INTERPOL and Europol, Kaspersky Lab believes that losses range from up to $10 million per bank.
Rather than aiming their attacks at accounts belonging to customers, the miscreants went after central sources such as e-payment systems and banks. While a majority of the financial institutions targeted are in Russia, banks in the United States, Germany and China, among others, were also impacted.
Researchers have observed that the spear phishing messages sent to employees included Microsoft Word (.doc) and Control Panel Applet (.CPL) file attachments. The attachments exploited vulnerabilities in Microsoft Office 2003, 2007 and 2010, in addition to Microsoft Word. Once successfully exploited, the Carbanak backdoor is active.
Once the malware is executed and attackers were in a bank’s network, they became intimate with the bank systems and employees, searching for employees who either had administrative rights to the institution’s cash transfer systems or remote ATMs. Then they used the malware’s remote access capabilities to capture screenshots and videos of bank workers’ systems so they could eventually ape employee activity.
Money taken through fraudulent transactions was sent to bank accounts in the U.S. and China. Two of the banks where attackers set up fake accounts were identified by a New York Times source as JPMorgan Chase and the Agricultural Bank of China.
The attackers reaped the rewards of their efforts in a two-year span where they either transferred money to their own accounts, ordered the money distributed to remote ATMs where an associate waited to receive or, in some cases, penetrated the banks’ accounts systems to change bank balances and then order transfers, ensuring that it would take some time for the activity to be detected by the bank.
Experts believe the threat actors may originate from Russia, Ukraine, Europe and China.
While Kaspersky researchers have contended that the attack bypassed banks’ security efforts because it was “sophisticated,” others have been quick to point out that banks simply had not kept their security measures up to date.
“There is nothing special about the malware itself. As usual, it was able to bypass the banks’ traditional anti-malware systems and go on its way uninterrupted,” Ian Amit, vice president of security firm ZeroFox said in a statement sent to SCMagazine.com. “The novelty of this attack lies in how it was deployed — directly inside the bank rather than to the banks’ customers.”
He believes that kind of attack leads to “much higher revenue-per-transaction.”
Calling the attacks a “jarring reminder of how easy it is for even sophisticated enterprises to overlook damaging changes to their cyber infrastructure,” Dwayne Melancon, CTO at Tripwire, explained in a statement sent to SCMagazine.com that even custom malware “leaves a trace when it compromises a system.”
That mark, thought, “goes unnoticed” most of the time “because enterprises haven’t established a baseline, or known good state, and aren’t continuously monitoring for changes to that baseline,” he said.
Indeed, while Jerome Segura, senior security researcher at Malwarebytes Labs, in a statement sent to SCMagazine.com, said the attack is “possibly one of the largest cyber bank heists in history which happened under the noses of many banks worldwide,” he noted Carbanak “is not particularly sophisticated as earlier reports may have indicated.”
Unlike in other large attacks, hackers “did not use a zero-day vulnerability but rather social engineered bank employees with a phishing email,” he said, and banks didn’t detect the malware early.
“For several months Carbanak was active on internal systems and also spread laterally to map out the banks’ infrastructure,” Segura said.
Labeling the thefts “a significant evolution in approach,” Mike Lloyd, CTO at RedSeal, said in a statement sent to SCMagazine.com, “The time invested by criminals in studying the operations of target banks shows two things: first, that such attacks are lucrative enough for this time commitment to be worthwhile, and second, they would not have bothered if they did not have to.”
Researchers warned that similar attacks are likely on the horizon and organizations must shift their security focus to fend them off.
“These are advanced threat actors and while it may seem like they are laying low, I’m certain they are working on new techniques as their old tools and techniques have been discovered,” TK Keanini, CTO at Lancope said in a prepared statement to SCMagazine.com. “This is the co-evolution that happens between attackers and defenders.”
And Lloyd said the attacks are a clear lesson that “we need to up our game, understanding how we can be spied upon, and how motivated adversaries can work to hide in plain sight.” He said security teams must “understand normal operations in great detail, including mapping out the environment and understanding how the infrastructure supports the business.”
Calling the practice “fiendishly difficult” because “the rate of change of modern business makes it impossible to keep up without automated mapping and discovery of defensive gaps,” Lloyd noted that “employees will always be prone to being fooled, as they were at the victim banks in this case.”
He urged organizations “to strengthen internal network segmentation, so that the whole chain does not fail whenever one weak link – usually a human – gets caught out.”
If the security industry is “going to have a chance at reversing this trend,” Eric Chiu, president and co-founder of Hytrust Security said in a statement sent to SCMagazine.com that “we need to truly make security a top priority and adopt an ‘inside-out’ model of security where we assume that the attackers are already on the network.”
He added that “banks must lead the charge around these efforts to restore confidence that they can protect our savings accounts from these new criminals.”