A new bankrobber Trojan has been identified by researchers at Kaspersky Lab, quietly stealing money direct from the banks themselves rather than targeting customers.
The advanced persistent threat is ongoing, and the work of a Russian-speaking newcomers to the scene called the Silence group. The Silence Trojan itself is similar in many ways to the now infamous Carbanak threat that relieved banks of more than a billion dollars between 2013 and 2015. The similarity is not just in the ties to Russia, but also in the attack methodology applied.
According to Kaspersky Lab Silence looks to gain persistent access to internal banking networks over a lengthy period of time, during which day to day activity on the network can be monitored. The precise nature of each separate bank network infected is explored and the Trojan waits for the optimal moment to attack using the intelligence gained.
This intelligence is sourced by such methods as taking multiple screen shots of active screens in order to produce a real-time video stream of internal banking network activity.
The initial compromise being by way of a targeted spearphishing campaign, which uses infected documents. The documents themselves are fairly sophisticated however, both in appearance and execution; one click initiates a download chain ending in the execution of the dropper to connect to the C&C servers. Finally, malicious payloads are then downloaded and executed for each specific task such as screen-recording and credential theft.
All of which sounds like we've been here before, not just with Carbanak but a myriad other malware threats. Even the fact that Silence exploits the infrastructure of already infected financial institutions to launch new attacks using compromised bank employee email accounts is old hat as far as threat activity is concerned.
Which begs the question why have multiple financial organisations fallen victim to the Silence group? Kaspersky researchers suggest "at least 10" across multiple regions have been hit so far, and the attacks are ongoing.
Sergey Lozhkin, security expert at Kaspersky Lab, says that "the most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank's security architecture."
As Richard Betts, with responsibility for International Financial Services at Anomali, says "financial institutions have one of the biggest responsibilities, taking care of sensitive information and people's money. The fact that the "Silence" has been taking advantage of already compromised banks to spear phish others is just unacceptable."
Some would argue that unacceptability runs deep. Vince Warrington, director at Protective Intelligence, told SC Media UK "there's nothing particularly sophisticated about Silence, so it really is a case of getting the fundamentals of security monitoring right."
And Terry Ray, CTO at Imperva added that "cyber criminals use multi-stage attacks to infiltrate and then move laterally until they get what they're ultimately after: data. Therefore, it is essential for all businesses, not just financial institutions to protect their data."
Ilia Kolochenko, CEO of web security company, High-Tech Bridge agrees. "Many financial organisations still fail to maintain a comprehensive and up to date inventory of their digital assets and just forget to reliably protect some parts of their infrastructure" he said in conversation with SC Media UK, continuing "obviously, cyber-criminals won't miss such a great opportunity."
Ryan Wilk, vice president at NuData Security, concludes that "financial service organisations must adopt an intelligence-led security strategy and bridge the fragmentation of security functions to ensure they are collaborating internally."
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout