Carbanak still active, latest cyber-bank heist took months to carry out

News by Rene Millman

Despite arrest being made, the Carbanak cyber-criminal group appears to be in action, according to a new report published by Bitdefender, reporting an attempted takeover of an entire ATM network.

Despite arrest being made, the Carbanak cybercriminal group appears to in action, according to a new report published by Bitdefender.
The company’s  forensic investigations found that while the leader of the group was apprehended in Alicante, Spain, earleri this year, this has not "made a dent in the cyber-criminal organisation, as subsequent spear-phishing campaigns seem to have been reported from March until May 2018".
The group was first discovered in 2014, after compromising the security systems of 100 banks in 40 countries and stealing up to US$1 billion (£770 million) in the process. Banks around the world have allegedly been targeted with spear-phishing emails, luring victims into clicking malicious URLs and executing booby-trapped documents.
According to the analysis, financial institutions in Eastern Europe remain the primary focus of the criminal group, which uses spear phishing as the main attack vector. The presence of Cobalt Strike hacking tools is the key indicator that the financial institutions were targeted by the Carbanak cyber-criminal gang.
The report found that in the reconnaissance phase, data related to banking applications and internal procedures was collected and prepared for exfiltration, to be used for the final stage of the attack. Infrastructure reconnaissance mainly occurred after business hours or on weekends to avoid triggering security alarms.
It only took attackers a couple of hours from initial compromise to fully established foothold and lateral movement, showing experience, knowledge and coordination, the report said. The final goal of the targeted attack was to compromise the ATM networks, potentially to cash out at ATMs in a coordinated physical and infrastructure criminal operation.
"The Carbanak group, which has a long track record of compromising infrastructure belonging to financial institutions, is still active. Its purpose remains to manipulate financial assets, such as transferring funds from bank accounts or taking over ATM infrastructures and instructing them to dispense cash at predetermined time intervals," the report said.
Researchers said that their investigations showed that the attackers’ main methods remain to quietly infiltrate the infrastructure by establishing a foothold on an employee’s system, then move laterally across the infrastructure or elevate privileges to find critical systems that manage financial transactions or ATM networks.
They added that if the attack had succeeded, it would have given hackers control over the ATM network, while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out.
"They could have also been able to reset the cash-out limit on ATMs, using a predetermined/preauthorised card. This way, money mules could have extracted the same amount over and over, without the ATMs reporting any transactions to the ban," said researchers.
Justin Des Lauriers, technical project manager at Exabeam, told SC Media UK that one way to thwart hackers from infiltrating infrastructure is by deploying user entity behaviour analytics (UEBA), which can detect the telltale behaviours associated with these types of attacks. 
"From the onset of its deployment, a behaviour-based approach creates normal user behaviour baselines, making it possible to track any deviations from the norm. Examples include an illegitimate user who attempts to connect to a domain, or an insider who suspiciously downloads files typically not associated with them," he said. 
Jake Moore, security specialist at ESET, told SC Media UK that bank robbery has as much kudos amongst criminal gangs as it has ever had. 
"Although now it’s a painstaking process which can take months going through the bank’s computers, rather than with guns through the front door," he said. 
"Spear phishing is the attack vector of choice for the group and these are impressive emails which can fool even the most cyber-savvy employee. Although training can be difficult to roll out in businesses, we should always be banging the awareness drum: making employees think twice and double check where they can to verify the authenticity of any contact made."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop