Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Technology

CARBANAK AND BEYOND: BANKS FACE NEW ATTACKS
software

Published : , on

Kaspersky Lab identifies new tricks and copycats of the infamous financial cyber-heist

 A year after Kaspersky Lab warned that cybercriminals would start to adopt the tools and tactics of nation-state backed APTs in order to rob banks, the company has confirmed the return of Carbanak as Carbanak 2.0 and uncovered two more groups working in the same style: Metel and GCMAN. They attack financial organisations using covert APT-style reconnaissance and customised malware along with legitimate software and new, innovative schemes to cash out.

The Metel cybercriminal group has lots of tricks in its playbook but is particularly interesting because of a remarkably clever scheme: by gaining control over machines inside a bank that have access to money transactions (e.g. the bank’s call centre/support computers) the gang can automate the rollback of ATM transactions.

The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions undertaken. In the examples observed to date, the criminal group steals money by driving around cities in Russia at night and emptying ATM machines belonging to a number of banks, repeatedly using the same debit cards issued by the compromised bank. In the space of just one night they manage to cash out.

“Nowadays, the active phase of a cyber-attack is becoming shorter. When the attackers become skilled in a particular operation, it takes them just days or a week to take what they want and run,” commented Sergey Golovanov, Principal Security Researcher at Global Research and Analysis Team, Kaspersky Lab.

During the forensic investigation, Kaspersky Lab’s experts uncovered that Metel operators achieve their initial infection through specially crafted spear-phishing emails with malicious attachments, and through the Niteris exploit pack, targeting vulnerabilities in the victim’s browser. Once inside the network, the cybercriminals use legitimate and pentesting tools to move laterally, hijacking the local domain controller and eventually locating and gaining control over computers used by the bank’s employees responsible for payment card processing.

The Metel group remains active and the investigation into its activities is ongoing. So far no attacks outside Russia have been identified. Still, there are grounds to suspect that the infection is much more widespread, and banks around the world are advised to proactively check for infection.

All three of the gangs identified are shifting toward the use of malware accompanied by legitimate software in their fraudulent operations: why write a lot of custom malware tools, when legitimate utilities can be just as effective, and trigger far fewer alarms?

But in terms of stealthiness, the GCMAN actor goes even further: sometimes it can successfully attack an organisation without the use of any malware, running legitimate and pentesting tools only. In the cases Kaspersky Lab’s experts have investigated, we saw GCMAN using Putty, VNC, and Meterpreter utilities to move laterally through the network till the attackers reached a machine which could be used to transfer money to e-currency services without alerting other banking systems.

In one attack observed by Kaspersky Lab, the cybercriminals stayed in the network for one-and-a-half years before activating the theft. Money was being transferred in sums of about $200, the upper limit for anonymous payments in Russia. Every minute, the CRON scheduler fired a malicious script, and another sum was transferred to an e-currency accounts belonging to a money mule. The transaction orders were sent directly to the bank’s upstream payment gateway and did not show up anywhere in the bank’s internal systems.

And finally, Carbanak 2.0 marks the re-emergence of the Carbanak advanced persistent threat (APT), with the same tools and techniques but a different victim profile and innovative ways to cash out.

In 2015, the targets of Carbanak 2.0 are not only banks, but the budgeting and accounting departments of any organisation of interest. And in one example observed by Kaspersky Lab, the Carbanak 2.0 gang accessed a financial institution and proceeded to alter the credentials of ownership for a large company. The information was modified to name a money mule as a shareholder of the company, displaying their ID information.

“Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cybercriminals aggressively embracing APT-style attacks. The Carbanak gang was just the first of many: cybercriminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly. Their logic is simple: that’s where the money is,” warns Sergey Golovanov. “And we aim to show how and where, specifically, the threat actors might hit to get your money. I expect that after hearing about GCMAN attacks, you will go and check how your web banking servers are protected; while in the case of Carbanak, we advise protecting the database that contains information about the owners of accounts, not just their balances.”

Kaspersky Lab products successfully detect and block the malware used by the Carbanak 2.0, Metel and GCMAN threat actors. The company is also releasing crucial Indicators of Compromise (IOC) and other data to help organisations search for traces of these attack groups in their corporate networks.  For more information please visit Securelist.com

We urge all organisations to carefully scan their networks for the presence of Carbanak, Metel and GCMAN and, if detected, to disinfect their systems and report the intrusion to law enforcement.

Uma Rajagopal has been managing the posting of content for multiple platforms since 2021, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune. Her role ensures that content is published accurately and efficiently across these diverse publications.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post