Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/8/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists

'Metel,'GCMAN,' and Carbanak's comeback highlight how cybercriminals are now going after bank users and systems with cyber espoinage-type tools and tactics.

TENERIFE, SPAIN – Kaspersky Lab Security Analyst Summit 2016 – Two newly discovered cybercrime gangs spotted stealing millions of dollars mainly from Russian banks further demonstrate how financial fraud has entered a new era with cybercriminals directly targeting banks via hacking techniques traditionally used by sophisticated nation-state cyberspies.

Kaspersky Lab researchers here today detailed attack campaigns against banks by the so-called Metel and GCMAN crime groups, as well as a re-emergence of the Carbanak group, a pioneer in employing cyber espionage methods for financial cybercrime. All three groups steal money by hacking the banks themselves via their employees and computer systems, to steal money, rather than targeting online banking customers alone.

Carbanak, which Kaspersky researchers exposed at last year’s SAS in Cancun, is an international cybercrime ring based out of Eastern Europe that pilfered some $1 billion in two years from 100 different banks in nearly 30 countries using spear phishing emails targeting bank employees. Its targets were mainly Russian financial institutions, followed by banks in Denmark and the US.

Operatives from Russia, Ukraine, China, and other parts of Europe, are behind Carbanak, which changed the cybercrime game by employing nation-state cyberspy methods including a remote Trojan backdoor that spies, steals data, and provides remote access to infected machines. But unlike a nation-state, it doesn't employ zero-day attacks.

Carbanak now has expanded its scope from banks only to other juicy targets such as the financial and accounting departments of some companies, the researchers said. The cybergang was spotted using its hack of one financial institution as a stepping-stone to change a large company’s ownership to that of a money mule so the attackers could access funds from that company

“They changed the registration data of the owner of a really big company,” said Sergey Golovanov, principal security researcher at global research & analysis team, Kaspersky Lab, who didn’t disclose the name or nature of the targeted firm.

The Metel group—which is still alive and well and thus far has only been seen attacking financial institutions in Russia--commandeered user administrative accounts from banks’ call centers and other systems in order to manipulate transaction information. As their money mules were cashing out millions of dollars from ATM machines in cities around Russia using debit cards issued by the victim bank, the attackers rolled back those transactions to hide the heist. This allowed them to pose as a legitimate user, but actually steal money from the ATM itself without raising any red flags in the account. In one night, they cashed out several ATM machines, according to the researchers.

“The [attackers] watched the mules and they started getting cash” from the ATMs, said Sergey Golovanov, principal security researcher at global research & analysis team, Kaspersky Lab. “They saw the transaction, and started to cancel it … from the operator’s computer.

“Then it was click, click, click on lots of items” from the compromised bank user account to hide the money mule transactions, he said of the attacker who hijacked the bank application.

As with the original Carbanak attacks, the Metel group used video surveillance to learn and impersonate the process. Both Carbanak 2.0 and Metel start their campaigns with spear phishing emails to bank employees. Metel, for instance, employs the Niteris exploit kit exploiting vulnerabilities in the targeted victim’s browser. That gives them a foothold into the network, where the attackers run penetration testing tools and other legit software to hijack the local domain controller to reach the bank’s payment card processing systems.

Via a keylogger, the attackers spied on how banking admins operate, so they were able to watch and learn via screenshots how the admin works with the SSH server, for example, Golovanov said.

They used PowerShell and other scripts to hack the bank’s Web server, he said. They also wiped hard drives, he said.

Old-School Hacking Heist

The GCMAN attackers, meanwhile, didn’t bother with spear phishing attacks nor malware to steal funds. The GCMAN group took more of an old-school hacking approach, brute-force hacking a bank’s Web server. “No zero-days, no vulnerabilities,” Golovanov said. “They were able to find [weaknesses] in the Web server of a bank.”

GCMAN uses penetration testing and legitimate tools such as Putty, VNC, and Meterpreter, to find a weak machine they could take over to move money to e-currency accounts used by money mules. In one case, the attackers lived on the bank’s network for a year and a half before they were detected. They stole money in increments of $200, which is the maximum withdrawal amount in Russia, and employed a custom script to conduct the transactions; they sent the orders to the bank payment gateway in order to bypass the bank’s internal computer systems.

Vladislav Roscov, a Kaspersky researcher, said his company last year got an SOS from a Russian bank. “’Come quick. Every minute costs us $200,’ they said.”

The GCMAN attackers initially got inside by brute-forcing the admin password on the server, hacking away at only on Saturdays so as to not raise any alarms. A debug script left open in the server also was abused in the attack, Roscov said.

“There was a backdoor crafted to look like a Web banking script,” he said, which had been planted 18 months before the money started going out the door.

GCMAN commandeered some 70 internal hosts and 56 user accounts in the banks it compromised.

“GCMAN is really unique and smart malware, about the way the attacker were able to avoid the security measures of the banks,” Golovanov said.

The researchers have released some indicators of compromise and other information on the three attack campaigns.

 

Interop 2016 Las VegasFind out more about cybercrime at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Talk about vendor lock in...
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11816
PUBLISHED: 2019-05-20
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2019-10076
PUBLISHED: 2019-05-20
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10077
PUBLISHED: 2019-05-20
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10078
PUBLISHED: 2019-05-20
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
CVE-2019-12239
PUBLISHED: 2019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.