Attacks/Breaches

7/19/2018
12:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

new MoneyTaker case resulting in theft of $1M from Russian bank

Moscow, 19.07.2018 – Group-IB, one of the global leaders in preventing high-tech crimes and providing high-fidelity threat intelligence and anti-fraud solutions, is conducting incident response on an attack on PIR Bank (Russia), which resulted in the theft of 1 million US dollars, conducted by MoneyTaker hacking group. Funds were stolen on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts at major Russian banks and cashed out. After that, the criminals tried to ensure persistence in the bank’s network in preparation for subsequent attacks, but were detected and removed by Group-IB incident responders. 

According to Kommersant newspaper, PIR Bank lost around $920,000 (which is a conservative estimate) from their correspondent account at the Bank of Russia. PIR Bank officially confirmed the attack initially, adding at that time they were unable to determine the exact amount of losses. PIR staff managed to delay withdrawal of some stolen funds, but it is clear that most are lost. In order to respond to the incident, PIR Bank staff engaged Group-IB.

“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible. At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank's operations in the future in order to prevent new similar incidents,” said Olga Kolosova, Chairperson of the Management Board of PIR Bank LLC.

After studying infected workstations and servers at the financial institution, Group-IB forensic specialists collected irrefutable digital evidence implicating MoneyTaker in the theft. In particular, the experts discovered specific tools and techniques that had been used earlier by MoneyTaker to attack banks, as well as the IP addresses of their C&C servers. Recommendations for prevention of similar attacks has been circulated to financial institutions that are Group-IB’s clients and partners, including the Central Bank of Russia. MoneyTaker is a criminal group specializing in targeted attacks on financial institutions, which was investigated by Group-IB experts in December 2017 in their analytic report called MoneyTaker: 1.5 Years of Silent Operations. These hackers are mainly focused on card processing and interbank transfer systems (AWS CBR and SWIFT).

 

 

What happened at PIR Bank?

From Incident Response, Group-IB confirmed that the attack on PIR Bank started in late May 2018. The entry point was a compromised router used by one of the bank’s regional branches. The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.

To establish persistence in the banks’ systems and automate some stages of their attack, the MoneyTaker group traditionally use PowerShell scripts. This technique was analyzed in detail by Group-IB experts in their December report. When the criminals hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank), generate payment orders and send money in several tranches to mule accounts prepared in advance. 

On the evening of July 4, when bank employees found unauthorized transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys, but failed to stop the financial transfers in time. Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.

Simultaneously, the attackers used a technique characteristic of MoneyTaker to cover their tracks in the system – they cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation. 

Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response this was detected by Group-IB employees and removed by the bank’s sysadmins. 

This is not the first successful attack on a Russian bank with money withdrawal since early 2018,” saysValeriy Baulin, Head of Digital Forensics Lab Group-IB, We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. As for withdrawal schemes, each group specializing in targeted attacks – Cobalt, Silence and MoneyTaker (these have been the most active groups in 2018) – have their own scheme depending on the amounts and cashout scenarios. We should understand that attacks on AWS CBR are difficult to implement and are not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind.”

 

Who are MoneyTaker and why is it so difficult to catch them?

 

The first attack by MoneyTaker was recorded in spring 2016, when they stole money from a U.S. bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers did not conduct attacks for almost 4 months and only attacked banks in Russia in September 2016. In these instances, their target was AWS CBR, the Russian interbank transfer system. In general, in 2016, Group-IB recorded 10 MoneyTaker attacks against organisations in the U.S., UK and Russia. Since 2017, the geography of their attacks has shrunk to Russia and the U.S. In 2018, Group-IB tracked two MoneyTaker attacks in Russia.  

MoneyTaker has its own set of specific TTPs. The hackers try to go unnoticed, use ‘one-time’ infrastructure, ‘fileless’ software and carefully cover up traces of their presence. This involves specific usages of Metasploit and PowerShell Empire frameworks. 

It is evident that MoneyTaker is one of the top threat to the banks all over the world. In connection with the incident in PIR Bank, Group-IB gave recommendations to security departments of financial institutions on how to minimize the danger presented by MoneyTaker. Since the entry point in most successful attacks conducted by this group was routers, it is first necessary to check if you have the up-to-date firmware, test systems for brute-force vulnerabilities and detect changes in router configuration in a timely manner.  

 

According to the Group-IB report published in December, at that time, MoneyTaker had conducted 16 attacks in the U.S., five attacks on Russian banks and one attack on an banking software company in the UK. The average damage caused by one attack in the U.S. amounted to $500,000. In Russia, the average amount of money withdrawn is 1.2 million USD per incident. In addition to money, the criminals steal documents about interbank payment systems needed to prepare for subsequent attacks. Incident response and investigations continue. 

 

About Group-IB

Group-IB is one of the global leaders in preventing and investigating high-tech crimes and online fraud. The company is recognized by Gartner as a threat intelligence vendor with strong cyber security focus and the ability to provide leading insight to the Eastern European region and recommended by the Organization for Security and Co-operation in Europe (OSCE). The Company is a permanent member of the World Economic Forum. Group-IB’s experience has been fused into an eco-system of highly sophisticated software and hardware solutions to monitor, identify and prevent cyber threats. Group-IB runs the largest computer forensics laboratory in Eastern Europe, as well as an official computer emergency response team CERT-GIB. In 2017, the company was recognized by IDC as a leading player on the Russian threat Intelligence services market.

 

 

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
CVE-2018-17980
PUBLISHED: 2018-10-15
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is execute...
CVE-2018-18259
PUBLISHED: 2018-10-15
Stored XSS has been discovered in version 1.0.12 of the LUYA CMS software via /admin/api-cms-nav/create-page.
CVE-2018-18260
PUBLISHED: 2018-10-15
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false.
CVE-2018-17532
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.