TENERIFE, SPAIN – Kaspersky Lab Security Analyst Summit 2016 – Two newly discovered cybercrime gangs spotted stealing millions of dollars mainly from Russian banks further demonstrate how financial fraud has entered a new era with cybercriminals directly targeting banks via hacking techniques traditionally used by sophisticated nation-state cyberspies.
Kaspersky Lab researchers here today detailed attack campaigns against banks by the so-called Metel and GCMAN crime groups, as well as a re-emergence of the Carbanak group, a pioneer in employing cyber espionage methods for financial cybercrime. All three groups steal money by hacking the banks themselves via their employees and computer systems, to steal money, rather than targeting online banking customers alone.
Carbanak, which Kaspersky researchers exposed at last year’s SAS in Cancun, is an international cybercrime ring based out of Eastern Europe that pilfered some $1 billion in two years from 100 different banks in nearly 30 countries using spear phishing emails targeting bank employees. Its targets were mainly Russian financial institutions, followed by banks in Denmark and the US.
Operatives from Russia, Ukraine, China, and other parts of Europe, are behind Carbanak, which changed the cybercrime game by employing nation-state cyberspy methods including a remote Trojan backdoor that spies, steals data, and provides remote access to infected machines. But unlike a nation-state, it doesn't employ zero-day attacks.
Carbanak now has expanded its scope from banks only to other juicy targets such as the financial and accounting departments of some companies, the researchers said. The cybergang was spotted using its hack of one financial institution as a stepping-stone to change a large company’s ownership to that of a money mule so the attackers could access funds from that company
“They changed the registration data of the owner of a really big company,” said Sergey Golovanov, principal security researcher at global research & analysis team, Kaspersky Lab, who didn’t disclose the name or nature of the targeted firm.
The Metel group—which is still alive and well and thus far has only been seen attacking financial institutions in Russia--commandeered user administrative accounts from banks’ call centers and other systems in order to manipulate transaction information. As their money mules were cashing out millions of dollars from ATM machines in cities around Russia using debit cards issued by the victim bank, the attackers rolled back those transactions to hide the heist. This allowed them to pose as a legitimate user, but actually steal money from the ATM itself without raising any red flags in the account. In one night, they cashed out several ATM machines, according to the researchers.
“The [attackers] watched the mules and they started getting cash” from the ATMs, said Sergey Golovanov, principal security researcher at global research & analysis team, Kaspersky Lab. “They saw the transaction, and started to cancel it … from the operator’s computer.
“Then it was click, click, click on lots of items” from the compromised bank user account to hide the money mule transactions, he said of the attacker who hijacked the bank application.
As with the original Carbanak attacks, the Metel group used video surveillance to learn and impersonate the process. Both Carbanak 2.0 and Metel start their campaigns with spear phishing emails to bank employees. Metel, for instance, employs the Niteris exploit kit exploiting vulnerabilities in the targeted victim’s browser. That gives them a foothold into the network, where the attackers run penetration testing tools and other legit software to hijack the local domain controller to reach the bank’s payment card processing systems.
Via a keylogger, the attackers spied on how banking admins operate, so they were able to watch and learn via screenshots how the admin works with the SSH server, for example, Golovanov said.
They used PowerShell and other scripts to hack the bank’s Web server, he said. They also wiped hard drives, he said.
Old-School Hacking Heist
The GCMAN attackers, meanwhile, didn’t bother with spear phishing attacks nor malware to steal funds. The GCMAN group took more of an old-school hacking approach, brute-force hacking a bank’s Web server. “No zero-days, no vulnerabilities,” Golovanov said. “They were able to find [weaknesses] in the Web server of a bank.”
GCMAN uses penetration testing and legitimate tools such as Putty, VNC, and Meterpreter, to find a weak machine they could take over to move money to e-currency accounts used by money mules. In one case, the attackers lived on the bank’s network for a year and a half before they were detected. They stole money in increments of $200, which is the maximum withdrawal amount in Russia, and employed a custom script to conduct the transactions; they sent the orders to the bank payment gateway in order to bypass the bank’s internal computer systems.
Vladislav Roscov, a Kaspersky researcher, said his company last year got an SOS from a Russian bank. “’Come quick. Every minute costs us $200,’ they said.”
The GCMAN attackers initially got inside by brute-forcing the admin password on the server, hacking away at only on Saturdays so as to not raise any alarms. A debug script left open in the server also was abused in the attack, Roscov said.
“There was a backdoor crafted to look like a Web banking script,” he said, which had been planted 18 months before the money started going out the door.
GCMAN commandeered some 70 internal hosts and 56 user accounts in the banks it compromised.
“GCMAN is really unique and smart malware, about the way the attacker were able to avoid the security measures of the banks,” Golovanov said.
The researchers have released some indicators of compromise and other information on the three attack campaigns.