Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/4/2019
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Carbanak Attack: Two Hours to Total Compromise

Investigation of the cybercrime group's attack on an East European bank shows how some attackers require very little time to broaden their access and establish persistence on a network.

A security vendor's investigation of a May 2018 cyberattack on an East European bank has revealed the astonishing speed and sophistication with which some advanced threat actors can expand their presence on a network after gaining initial access to it.

The attack began when two employees of the bank were tricked into opening a malicious document in a spear-phishing email from the Carbanak group—a cybercrime outfit believed to have stolen hundreds of millions of dollars from banks in over 40 countries.

The tainted document contained three exploits for remote code execution in Microsoft Word, which minutes later allowed the attackers to install a backdoor for deploying new payloads and for establishing persistence on the freshly compromised infrastructure.  

One of the payloads was Cobalt Strike Beacon, a Carbanak malware tool that among other things allowed the attackers to map the organization’s internal network so they could find admin-level credentials for moving across the infrastructure.

Not long after, they managed to obtain credentials for one Domain Administrator, which they then proceeded to use to access a domain controller server and at least two other endpoint devices on the compromised bank network.

"In under two hours the attackers managed to directly compromise a critical infrastructure component and get admin-level credentials, without tripping any alarms," says Liviu Arsene, global cybersecurity analyst at Bitdefender, the security vendor that was called in to investigate the breach.

Over the next two months, the attackers were able to use the credentials to quietly move about the network and to try and gain access to systems that would allow them to manipulate and withdraw funds from the bank's ATMs. The breach was discovered after a series of security alerts were eventually triggered by the credentials being used to access systems not normally associated with them.

"The main takeaway is that organizations, even highly regulated ones that operate in the financial industry, need to focus on reducing the time to detect a potential security breach," Arsene says. "It's vital that they detect and block these attacks during the reconnaissance phase, before attackers execute their final heist."

Bitdefender's investigation of the attack on the East European bank revealed extensive planning and patience on the Carbanak group's part.

In the first four weeks following the initial intrusion, the group systematically compromised numerous workstations in search of specific information that could help them breach the ATM network. One of the servers that the group compromised was later used to store documents pertaining to internal applications, system manuals, and other documents.

By Day 33, the group had gathered enough information to be able to connect to a host with access to banking applications. Over the next three weeks or so, members of the Carbanak group managed to break into at least seven other hosts with similar access to banking applications on the compromised network.

According to Bitdefender, the Carbanak group's movements on the breached network suggested a comprehensive understanding of the nature and location of the data they were looking for. At the same time the group also appeared focused on improving its understanding of the bank's internal systems in an effort to make its attack more efficient and stealthy, Bitdefender said in a report that summarizes the findings from its breach investigation.

The attackers showed experience in interacting with financial systems and appeared interested in constantly documenting and learning more about the inner workings of banking applications, potentially to maximize their efforts in future heists, Arsene says.

Keeping a Low Profile

Significantly, the attackers took considerable effort to maintain a low network footprint and to conceal their movement. For example, they used a single compromised workstation on the network to centralize and store all their collected information and for communicating with their command and control server, Bitdefender said. The group also made sure to carry out the bulk of their activities after normal business hours.

The reason their after-hours activity wasn't flagged as suspicious was that the authentication credentials had the necessary security clearance to perform this activity, Aresene says. The admin-level credentials were regularly used for remote access outside business hours, so there was little reason the activity would be flagged as suspicious.

"What these attackers did was keep a low footprint by remotely dialing in and out of select targets, sometimes days apart," Arsene notes. Command-and-control communication typically lasted between 20 minutes and one hour at most. Moving laterally across the infrastructure was a matter of using Remote Desktop Protocol with the stolen admin credentials.

"This way, any suspicious activity would have been regarded as normal activity since those credentials would normally belong to someone that had the security clearance to do that," Arsene says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
6/5/2019 | 9:20:06 AM
Two immed take-aways
There are many lessons here. The infection began with two users opening an infected email - user education would go miles towards improving these events which are all too common.  Second, base infection took 2 hours which is more or less human time once detected.  Initial infection took FAR shorter though so humans do not respond fast enough.  Here is where automated tools come in to effective use.  Third less obvious is that attackers did good recon work and kept a low low profile.  If you break into a home, do not do it at dinnertime.   Daytime with a moving van and uniforms (with nobody home) often works for spying neighbors.   Thieves always perform recon first to see defenses and patterns, such as lights on and off during vacations.  (They attacked ONLY during business hours).  All attack data flowed through one, 1, machine making that more suspect as a bad endpoint by itself instead of a gigantic door.  So there are a ton of good lessons in this tale but user education is tops.   "If you don't need it,don't read it, delete it." 
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.