A series of banks in post-Soviet states have recently lost millions to a particularly sophisticated attack strategy, with the average amount around £3.8 million (in cash), ranging from £2 million to £7 million. The researchers warn that similar methods are likely to be attempted on banks in Europe and the US imminently due to the success of the scheme.
The attacks do rely on a detailed knowledge of internal bank processes, and several online and offline groups of attackers working in unison. The attack involves the creation of large numbers of ‘mule accounts' with fake documents, then the compromise of key bank systems and credentials, which are in turn used to create and approve overdraft facilities for the mule accounts, as well as suppress fraud alerts for those accounts if required. In a synchronised attack, as the internal systems are suppressed, within minutes the offline criminals strike at various ATM terminal locations outside the bank's originating country, withdrawing large sums of cash.
The researchers from Trustwave SpiderLabs said that the attacks represent a ‘clear and imminent threat to financial institutions' in European, North American, Asian and Australian regions within the next year.
Thanassis Diogos, EMEA managing consultant, incident response, Trustwave said that the key to the attacker's success was a very high level of organisation, and that: “The attackers really had time on their side - the timeline here was between five and eight months between initial compromise to cashing out - they really used that advantage. Many of the banks affected had very weak controls around opening new accounts, which the attackers also capitalised on. However, the biggest issue is a common one, a focus on defensive perimeter security rather than a more internal, cultural security stance.”
David Emm, principal security researcher, Kaspersky Lab agreed: “It's often the case that internal communication and culture around security is sidelined - most organisations spend a lot of time communicating externally with partners and customers, but not using the same skills internally. Companies can develop policies and procedures but we still need to raise awareness about security - it needs to be a cultural thing, rather than just focussing on the dos and don'ts.”
Some of the mitigation recommendations out of the report include preparing a well-documented and tested Incident Response Plan (IRP), A different approach (eg Windows LAPS) to managing Local Administrator account credentials for the systems on Windows networks, restrict by policy the use of the Domain Admin account over the network unless absolutely necessary, and creating a proactive program for Managed Detection and Response (MDR), also known as threat hunting.
Key IoC's are below: