Endpoint
2/8/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists

'Metel,'GCMAN,' and Carbanak's comeback highlight how cybercriminals are now going after bank users and systems with cyber espoinage-type tools and tactics.

TENERIFE, SPAIN – Kaspersky Lab Security Analyst Summit 2016 – Two newly discovered cybercrime gangs spotted stealing millions of dollars mainly from Russian banks further demonstrate how financial fraud has entered a new era with cybercriminals directly targeting banks via hacking techniques traditionally used by sophisticated nation-state cyberspies.

Kaspersky Lab researchers here today detailed attack campaigns against banks by the so-called Metel and GCMAN crime groups, as well as a re-emergence of the Carbanak group, a pioneer in employing cyber espionage methods for financial cybercrime. All three groups steal money by hacking the banks themselves via their employees and computer systems, to steal money, rather than targeting online banking customers alone.

Carbanak, which Kaspersky researchers exposed at last year’s SAS in Cancun, is an international cybercrime ring based out of Eastern Europe that pilfered some $1 billion in two years from 100 different banks in nearly 30 countries using spear phishing emails targeting bank employees. Its targets were mainly Russian financial institutions, followed by banks in Denmark and the US.

Operatives from Russia, Ukraine, China, and other parts of Europe, are behind Carbanak, which changed the cybercrime game by employing nation-state cyberspy methods including a remote Trojan backdoor that spies, steals data, and provides remote access to infected machines. But unlike a nation-state, it doesn't employ zero-day attacks.

Carbanak now has expanded its scope from banks only to other juicy targets such as the financial and accounting departments of some companies, the researchers said. The cybergang was spotted using its hack of one financial institution as a stepping-stone to change a large company’s ownership to that of a money mule so the attackers could access funds from that company

“They changed the registration data of the owner of a really big company,” said Sergey Golovanov, principal security researcher at global research & analysis team, Kaspersky Lab, who didn’t disclose the name or nature of the targeted firm.

The Metel group—which is still alive and well and thus far has only been seen attacking financial institutions in Russia--commandeered user administrative accounts from banks’ call centers and other systems in order to manipulate transaction information. As their money mules were cashing out millions of dollars from ATM machines in cities around Russia using debit cards issued by the victim bank, the attackers rolled back those transactions to hide the heist. This allowed them to pose as a legitimate user, but actually steal money from the ATM itself without raising any red flags in the account. In one night, they cashed out several ATM machines, according to the researchers.

“The [attackers] watched the mules and they started getting cash” from the ATMs, said Sergey Golovanov, principal security researcher at global research & analysis team, Kaspersky Lab. “They saw the transaction, and started to cancel it … from the operator’s computer.

“Then it was click, click, click on lots of items” from the compromised bank user account to hide the money mule transactions, he said of the attacker who hijacked the bank application.

As with the original Carbanak attacks, the Metel group used video surveillance to learn and impersonate the process. Both Carbanak 2.0 and Metel start their campaigns with spear phishing emails to bank employees. Metel, for instance, employs the Niteris exploit kit exploiting vulnerabilities in the targeted victim’s browser. That gives them a foothold into the network, where the attackers run penetration testing tools and other legit software to hijack the local domain controller to reach the bank’s payment card processing systems.

Via a keylogger, the attackers spied on how banking admins operate, so they were able to watch and learn via screenshots how the admin works with the SSH server, for example, Golovanov said.

They used PowerShell and other scripts to hack the bank’s Web server, he said. They also wiped hard drives, he said.

Old-School Hacking Heist

The GCMAN attackers, meanwhile, didn’t bother with spear phishing attacks nor malware to steal funds. The GCMAN group took more of an old-school hacking approach, brute-force hacking a bank’s Web server. “No zero-days, no vulnerabilities,” Golovanov said. “They were able to find [weaknesses] in the Web server of a bank.”

GCMAN uses penetration testing and legitimate tools such as Putty, VNC, and Meterpreter, to find a weak machine they could take over to move money to e-currency accounts used by money mules. In one case, the attackers lived on the bank’s network for a year and a half before they were detected. They stole money in increments of $200, which is the maximum withdrawal amount in Russia, and employed a custom script to conduct the transactions; they sent the orders to the bank payment gateway in order to bypass the bank’s internal computer systems.

Vladislav Roscov, a Kaspersky researcher, said his company last year got an SOS from a Russian bank. “’Come quick. Every minute costs us $200,’ they said.”

The GCMAN attackers initially got inside by brute-forcing the admin password on the server, hacking away at only on Saturdays so as to not raise any alarms. A debug script left open in the server also was abused in the attack, Roscov said.

“There was a backdoor crafted to look like a Web banking script,” he said, which had been planted 18 months before the money started going out the door.

GCMAN commandeered some 70 internal hosts and 56 user accounts in the banks it compromised.

“GCMAN is really unique and smart malware, about the way the attacker were able to avoid the security measures of the banks,” Golovanov said.

The researchers have released some indicators of compromise and other information on the three attack campaigns.

 

Interop 2016 Las VegasFind out more about cybercrime at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I don't think that's how Augmented Reality works."
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.