Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/4/2019
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Carbanak Attack: Two Hours to Total Compromise

Investigation of the cybercrime group's attack on an East European bank shows how some attackers require very little time to broaden their access and establish persistence on a network.

A security vendor's investigation of a May 2018 cyberattack on an East European bank has revealed the astonishing speed and sophistication with which some advanced threat actors can expand their presence on a network after gaining initial access to it.

The attack began when two employees of the bank were tricked into opening a malicious document in a spear-phishing email from the Carbanak group—a cybercrime outfit believed to have stolen hundreds of millions of dollars from banks in over 40 countries.

The tainted document contained three exploits for remote code execution in Microsoft Word, which minutes later allowed the attackers to install a backdoor for deploying new payloads and for establishing persistence on the freshly compromised infrastructure.  

One of the payloads was Cobalt Strike Beacon, a Carbanak malware tool that among other things allowed the attackers to map the organization’s internal network so they could find admin-level credentials for moving across the infrastructure.

Not long after, they managed to obtain credentials for one Domain Administrator, which they then proceeded to use to access a domain controller server and at least two other endpoint devices on the compromised bank network.

"In under two hours the attackers managed to directly compromise a critical infrastructure component and get admin-level credentials, without tripping any alarms," says Liviu Arsene, global cybersecurity analyst at Bitdefender, the security vendor that was called in to investigate the breach.

Over the next two months, the attackers were able to use the credentials to quietly move about the network and to try and gain access to systems that would allow them to manipulate and withdraw funds from the bank's ATMs. The breach was discovered after a series of security alerts were eventually triggered by the credentials being used to access systems not normally associated with them.

"The main takeaway is that organizations, even highly regulated ones that operate in the financial industry, need to focus on reducing the time to detect a potential security breach," Arsene says. "It's vital that they detect and block these attacks during the reconnaissance phase, before attackers execute their final heist."

Bitdefender's investigation of the attack on the East European bank revealed extensive planning and patience on the Carbanak group's part.

In the first four weeks following the initial intrusion, the group systematically compromised numerous workstations in search of specific information that could help them breach the ATM network. One of the servers that the group compromised was later used to store documents pertaining to internal applications, system manuals, and other documents.

By Day 33, the group had gathered enough information to be able to connect to a host with access to banking applications. Over the next three weeks or so, members of the Carbanak group managed to break into at least seven other hosts with similar access to banking applications on the compromised network.

According to Bitdefender, the Carbanak group's movements on the breached network suggested a comprehensive understanding of the nature and location of the data they were looking for. At the same time the group also appeared focused on improving its understanding of the bank's internal systems in an effort to make its attack more efficient and stealthy, Bitdefender said in a report that summarizes the findings from its breach investigation.

The attackers showed experience in interacting with financial systems and appeared interested in constantly documenting and learning more about the inner workings of banking applications, potentially to maximize their efforts in future heists, Arsene says.

Keeping a Low Profile

Significantly, the attackers took considerable effort to maintain a low network footprint and to conceal their movement. For example, they used a single compromised workstation on the network to centralize and store all their collected information and for communicating with their command and control server, Bitdefender said. The group also made sure to carry out the bulk of their activities after normal business hours.

The reason their after-hours activity wasn't flagged as suspicious was that the authentication credentials had the necessary security clearance to perform this activity, Aresene says. The admin-level credentials were regularly used for remote access outside business hours, so there was little reason the activity would be flagged as suspicious.

"What these attackers did was keep a low footprint by remotely dialing in and out of select targets, sometimes days apart," Arsene notes. Command-and-control communication typically lasted between 20 minutes and one hour at most. Moving laterally across the infrastructure was a matter of using Remote Desktop Protocol with the stolen admin credentials.

"This way, any suspicious activity would have been regarded as normal activity since those credentials would normally belong to someone that had the security clearance to do that," Arsene says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
6/5/2019 | 9:20:06 AM
Two immed take-aways
There are many lessons here. The infection began with two users opening an infected email - user education would go miles towards improving these events which are all too common.  Second, base infection took 2 hours which is more or less human time once detected.  Initial infection took FAR shorter though so humans do not respond fast enough.  Here is where automated tools come in to effective use.  Third less obvious is that attackers did good recon work and kept a low low profile.  If you break into a home, do not do it at dinnertime.   Daytime with a moving van and uniforms (with nobody home) often works for spying neighbors.   Thieves always perform recon first to see defenses and patterns, such as lights on and off during vacations.  (They attacked ONLY during business hours).  All attack data flowed through one, 1, machine making that more suspect as a bad endpoint by itself instead of a gigantic door.  So there are a ton of good lessons in this tale but user education is tops.   "If you don't need it,don't read it, delete it." 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19740
PUBLISHED: 2019-12-12
Octeth Oempro 4.7 allows SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
CVE-2019-19746
PUBLISHED: 2019-12-12
make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type.
CVE-2019-19748
PUBLISHED: 2019-12-12
The Work Time Calendar app before 4.7.1 for Jira allows XSS.
CVE-2017-18640
PUBLISHED: 2019-12-12
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVE-2019-19726
PUBLISHED: 2019-12-12
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from th...