Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

Reservoir Rogues: Hooked on a’ Stealing

“What’s the cut, Papa?”

“Juicy, Junior. Real juicy.”

“What’s the cut, Papa?”

“Juicy, Junior. Real juicy.”

Sorry, I couldn’t help myself. Tarantino is too quotable. And that scene, it’s exactly how I imagine a gang of cyber crooks—from the likes of Metel, GCMAN, and Carbanak 2.0—sitting around debating whether or not some long-term APT-persuasion hack is worth it.

But with paydays reaching upwards of a $1 billion, I’d say, yeah, those cuts are downright succulent. And the means by which to achieve them are much more appetizing than what Mr. White, Pink, Brown, Blonde, Orange, and Blue had to go through.

Stuck in the Middle with You

Banking botnets may be passé, but banking heists are all the rage. What’s changed is the hacking strategy. Today, APTs (and, apparently, ATMs) are where it’s at.

While not stick-‘em-up-gun-point robberies, the Metel attacks were half cyber, half physical. The group used spear-phishing emails to infect a bank’s network with malware and gain access to its money-processing systems, stealing credentials and taking over a domain controller. Once they’d set everything up inside the network, automating the rollback of ATM transactions so that account balances would appear untouched, these guys went around—literally thieves in the night—from ATM to ATM, withdrawing cold hard cash.

Another group, GCMAN, also used APT-style techniques (e.g., spear-phishing emails with a malicious RAR archive, and legit pen-testing tools like VNC, Putty, and Meterpreter for lateral movement) to pull off a different set of bank heists. Patient as spiders spinning their webs, GCMAN sat in one bank’s network for 18 months before the thieving began. But when it did (the group used a cron script to transfer money to multiple e-currency services), the bank bled cash at a rate of $200/minute.

Advertisement. Scroll to continue reading.

Like NSA Chief Hacker Rob Joyce indicated during his recent talk at the Usenix Enigma conference, hackers are patient and persistent. They’ll wait and wait and wait for the right moment to attack, especially when the reward is big enough. So it’s really not surprising that more cyber crooks are going in for the long haul. These recent Eastern Bloc robberies serve as great examples of how all organizations need to understand that, in all likelihood, their systems have already been compromised and they need to readjust their focus to get more pervasive visibility into their networks.

I Gotcha

Although it’s increasingly common to find that threats have been lying dormant in networks for long periods of time, this doesn’t have to be the case. Companies need to take a different tack, become more proactive, and turn the tables on folks like these banking bandits. They can do so by re-architecting existing security stacks around visibility for the best chance at surfacing areas of compromise and shutting down theft, while also continuing to strengthen and maintain perimeter defenses.

I’ve said it before; I’ll say it again: Security requires visibility. Many security vendors understand this—the need for pervasive visibility to analyze network traffic for threats, anomalies, and lateral malware movement. However, no matter how sophisticated security solutions have become, they’re still only as good as the network traffic they see. And what can help with this? A security delivery platform (SDP).

An SDP is designed to give security tools full access to network traffic and network metadata. In the case of the GCMAN hack, an SDP would have delivered full visibility to the traffic of those hackers as they looked to identify computers on the domain that handled financial transactions. In turn, the behavioral analytics devices that are fed this traffic could have flagged the flurry of activity as anomalous against benchmarks and perhaps detected the infiltration much sooner than the 18 months it actually took.

And how sweet would it be in these cases to deliver the line (again and again): I gotcha!

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.