Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/8/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists

'Metel,'GCMAN,' and Carbanak's comeback highlight how cybercriminals are now going after bank users and systems with cyber espoinage-type tools and tactics.

TENERIFE, SPAIN – Kaspersky Lab Security Analyst Summit 2016 – Two newly discovered cybercrime gangs spotted stealing millions of dollars mainly from Russian banks further demonstrate how financial fraud has entered a new era with cybercriminals directly targeting banks via hacking techniques traditionally used by sophisticated nation-state cyberspies.

Kaspersky Lab researchers here today detailed attack campaigns against banks by the so-called Metel and GCMAN crime groups, as well as a re-emergence of the Carbanak group, a pioneer in employing cyber espionage methods for financial cybercrime. All three groups steal money by hacking the banks themselves via their employees and computer systems, to steal money, rather than targeting online banking customers alone.

Carbanak, which Kaspersky researchers exposed at last year’s SAS in Cancun, is an international cybercrime ring based out of Eastern Europe that pilfered some $1 billion in two years from 100 different banks in nearly 30 countries using spear phishing emails targeting bank employees. Its targets were mainly Russian financial institutions, followed by banks in Denmark and the US.

Operatives from Russia, Ukraine, China, and other parts of Europe, are behind Carbanak, which changed the cybercrime game by employing nation-state cyberspy methods including a remote Trojan backdoor that spies, steals data, and provides remote access to infected machines. But unlike a nation-state, it doesn't employ zero-day attacks.

Carbanak now has expanded its scope from banks only to other juicy targets such as the financial and accounting departments of some companies, the researchers said. The cybergang was spotted using its hack of one financial institution as a stepping-stone to change a large company’s ownership to that of a money mule so the attackers could access funds from that company

“They changed the registration data of the owner of a really big company,” said Sergey Golovanov, principal security researcher at global research & analysis team, Kaspersky Lab, who didn’t disclose the name or nature of the targeted firm.

The Metel group—which is still alive and well and thus far has only been seen attacking financial institutions in Russia--commandeered user administrative accounts from banks’ call centers and other systems in order to manipulate transaction information. As their money mules were cashing out millions of dollars from ATM machines in cities around Russia using debit cards issued by the victim bank, the attackers rolled back those transactions to hide the heist. This allowed them to pose as a legitimate user, but actually steal money from the ATM itself without raising any red flags in the account. In one night, they cashed out several ATM machines, according to the researchers.

“The [attackers] watched the mules and they started getting cash” from the ATMs, said Sergey Golovanov, principal security researcher at global research & analysis team, Kaspersky Lab. “They saw the transaction, and started to cancel it … from the operator’s computer.

“Then it was click, click, click on lots of items” from the compromised bank user account to hide the money mule transactions, he said of the attacker who hijacked the bank application.

As with the original Carbanak attacks, the Metel group used video surveillance to learn and impersonate the process. Both Carbanak 2.0 and Metel start their campaigns with spear phishing emails to bank employees. Metel, for instance, employs the Niteris exploit kit exploiting vulnerabilities in the targeted victim’s browser. That gives them a foothold into the network, where the attackers run penetration testing tools and other legit software to hijack the local domain controller to reach the bank’s payment card processing systems.

Via a keylogger, the attackers spied on how banking admins operate, so they were able to watch and learn via screenshots how the admin works with the SSH server, for example, Golovanov said.

They used PowerShell and other scripts to hack the bank’s Web server, he said. They also wiped hard drives, he said.

Old-School Hacking Heist

The GCMAN attackers, meanwhile, didn’t bother with spear phishing attacks nor malware to steal funds. The GCMAN group took more of an old-school hacking approach, brute-force hacking a bank’s Web server. “No zero-days, no vulnerabilities,” Golovanov said. “They were able to find [weaknesses] in the Web server of a bank.”

GCMAN uses penetration testing and legitimate tools such as Putty, VNC, and Meterpreter, to find a weak machine they could take over to move money to e-currency accounts used by money mules. In one case, the attackers lived on the bank’s network for a year and a half before they were detected. They stole money in increments of $200, which is the maximum withdrawal amount in Russia, and employed a custom script to conduct the transactions; they sent the orders to the bank payment gateway in order to bypass the bank’s internal computer systems.

Vladislav Roscov, a Kaspersky researcher, said his company last year got an SOS from a Russian bank. “’Come quick. Every minute costs us $200,’ they said.”

The GCMAN attackers initially got inside by brute-forcing the admin password on the server, hacking away at only on Saturdays so as to not raise any alarms. A debug script left open in the server also was abused in the attack, Roscov said.

“There was a backdoor crafted to look like a Web banking script,” he said, which had been planted 18 months before the money started going out the door.

GCMAN commandeered some 70 internal hosts and 56 user accounts in the banks it compromised.

“GCMAN is really unique and smart malware, about the way the attacker were able to avoid the security measures of the banks,” Golovanov said.

The researchers have released some indicators of compromise and other information on the three attack campaigns.

 

Interop 2016 Las VegasFind out more about cybercrime at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...