Story image

Threats new and old targeting financial organisations

09 Feb 2016

The return of an old enemy and its friends is seeing attacks on financial organisations, according to reports.

Security experts Kaspersky Lab has confirmed the return of Carbanak as Carbanak 2.0, and uncovered two additional groups working in the same style: Metel and GCMAN.

They attack financial organisations using covert APT-style reconnaissance and customised malware, along with legitimate software and new, innovative schemes to cash out, Kaspersky Labs explains.

According to the company, the Metel cyber-criminal group employs a remarkably clever scheme.

By gaining control over machines inside a bank that have access to money transactions (e.g. the bank’s call centre/support computers), the gang can automate the rollback of ATM transactions.

The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions undertaken.

In the examples observed to date, the criminal group steals money by driving around cities in Russia at night and emptying ATM machines belonging to a number of banks, repeatedly using the same debit cards issued by the compromised bank.

“Nowadays, the active phase of cyber-attack is becoming shorter. When the attackers become skilled in a particular operation, it takes them just days or a week to take what they want and run,” explains Sergey Golovanov, principal security researcher for Global Research & Analysis Team, Kaspersky Lab.

During the forensic investigation, Kaspersky Lab’s experts uncovered that Metel operators achieve their initial infection through specially crafted spear-phishing emails with malicious attachments, and through the Niteris exploit pack, targeting vulnerabilities in the victim’s browser.

Once inside the network, the cyber-criminals use legitimate and pentesting tools to move laterally, hijacking the local domain controller and eventually locating and gaining control over computers used by the bank’s employees responsible for payment card processing. 

The Metel group remains active and the investigation into its activities is ongoing, Kaspersky says.

“So far no attacks outside Russia have been identified. Still, there are grounds to suspect that the infection is much more widespread, and banks around the world are advised to proactively check for infection.”

Finally, Carbanak 2.0 marks the re-emergence of the Carbanak advanced persistent threat (APT), with the same tools and techniques but a different victim profile and innovative ways to cash out.

In 2015, the targets of Carbanak 2.0 were not only banks, but the budgeting and accounting departments of any organisation of interest.

In one example observed by Kaspersky Lab, the Carbanak 2.0 gang accessed a financial institution and proceeded to alter the credentials of ownership for a large company. The information was modified to name a money mule as a shareholder of the company, displaying their ID information.

“Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cyber-criminals aggressively embracing APT-style attacks,” explains Golovanov.

“The Carbanak gang was just the first of many: cyber-criminals now learn quickly how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly,” he says.

“Their logic is simple: that’s where the money is.”

New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.