For several years now, cybercrime in the financial sector was synonymous with banking botnets such as Zeus and Carberp. By and large, these malware families and their many descendants worked by infecting banking customer’s computers and either stealing passwords or manipulating online banking sessions to steal funds.
A recent report from Kaspersky Lab shows that criminals have significantly raised their game with a new strategy focused on infiltrating and stealing directly from more than 100 different banks. Kaspersky named the operation the Carbanak APT and early estimates put losses in the range of $1 billion USD.
As you might expect, robbing a bank can be more lucrative than stealing from its customers. Even highly successful Zeus operations would typically net in the range of $100 million USD or less. Carberp, the banking botnet progenitor of Carbanak, was estimated to have earned a total of $250 million over years of use in the wild. This makes the $1 billion dollar Carbanak heist one of the most successful financial cybercrimes in history.
Attackers Becoming Insiders
Generally speaking, banking networks are highly secure environments with a variety of unique internal processes, software and systems. Infiltrating and stealing in such a labyrinth would seem to be endlessly complicated. However, like most modern malware, Carbanak is not some autonomous bit of code running on its own, but rather a vehicle for a remote human attacker to watch, learn and remotely drive the attack. This approach enabled the attackers to assimilate the knowledge of the infected user and apply that information to further the attack.
Once they successfully infected a bank employee’s computer, the attackers patiently listened and learned. The Carbanak malware recorded the employee’s desktop display and sent video to the remote attacker. In addition to the standard malware behavior of capturing user credentials, this video of the desktop display enabled the attacker to watch an employee and learn the internal processes of the bank. This is the power of a persistent attack. The attackers didn’t need prior knowledge of the victim network. They had as much time as they need to learn and plan their next steps.
The attacker’s approach changed based on the particular infected user’s role. In some cases, the attacker compromised the bank’s ATM network to force cash machines to dispense money on command to waiting money mules. In other cases, the attacker altered a banking database to add money to an account that would later be transferred out to the attacker. In all cases, the attacker learned what access the user of an infected computer had within in the network and used their access to steal money from the bank. In a very real sense, the outside attacker became a malicious insider because they were using credentialed access and intimate knowledge of the banks business processes.
Dangers Hidden in the Whitelist
Every persistent attacker needs the ability to remain in the network for long periods of time without being detected. Unlike previous attacks that relied on specialized custom tools to avoid detection, the Carbanak attackers avoided detection by using the same tools commonly used by bank administrators. As a result, the actions of the attacker were able to blend in with the normal traffic and applications common to the network.
Instead of using the new never-seen-before tool, attackers opted for the obvious tools that were already approved on the network. For instance, attackers used VNC and PuTTY for remote desktop and SSH respectively. Neither of these tools or protocols would seem out of place given that bank administrators commonly use them. Likewise, attackers used the Ammyy Remote Administration tool to manage compromised machines because it is commonly used by bank administrators and is whitelisted. Additional tools used by the attackers were digitally signed to avoid raising suspicion.
All this means that, going forward, security teams can not rely on a single smoking-gun indicator of compromise and must use context to see reveal the patterns of an attack.
Network Infiltration – Wash, Rinse, Repeat
The key to the success of Carbanak was its ability to infiltrate a bank’s network and remain undetected for extended periods of time.
This “low and slow” network intrusion is the same fundamental strategy employed in virtually every major data breach and cyber attack seen in the past few years. The blueprint is disturbingly familiar – employees are initially infected via phishing or watering hole attacks, attackers perform reconnaissance to build a map of the victim’s networks, lateral movement tools extend the attacker’s footprint and durability within the victim’s network, data is accumulated and stolen all while malware provides the attacker with ongoing remote control.
In the case of Carbanak, attackers were able to repeat this strategy in at least 100 banks and financial institutions that we know about today. This should be an awakening for everyone in information security.
The standard narrative of network breaches in the media is that the attackers were either incredibly sophisticated and targeted, or there was an egregious security failing on the part of the victim that allowed the attack to succeed. In both cases the implication is that the attack was somehow exceptional and rare. When 100 banks all fall to the same approach, we are facing a generalized threat, not an exceptional one. This is a mode of attack that proven effective en masse across all industries with similar efficacy. The persistent internally driven network attack has become the norm, and security products, teams, and processes need to adapt accordingly.
In my next column I will introduce some of the requirements and best practices for defending against these modern network attacks.
Related Reading: Hackers Hit 100 Banks in ‘Unprecedented’ $1 Billion Cyber Heist