THREAT INFORMATION
Multiple banks from post-Soviet countries have been breached by an organized crime group, resulting in a series of suspicious ATM withdrawal transactions and million-dollar losses — a well-planned and coordinated attack, which involves physical and cyber activities to achieve the threat actor’s goals.
The criminals behind this attack manipulate the overdraft limit of specific debit card accounts to allow further credit permissions and withdraw cash from ATM terminals located in foreign countries.
TARGETED ATTACK CHAIN
Click to enlarge
The crime operation of this attack is divided into multiple teams: Money Mules, who are group of individuals that perform the offline (physical) activities, and Cyber Criminals, who are in charge of attacking the bank’s network infrastructure.
- Team 1: Money Mules
This team applies for new accounts and requests for debit cards in targeted bank branches using fake identities and information. The bank issues the debit cards and the first team of money mules forwards the debit cards to the perpetrators, who are located in different countries throughout Europe.
- Team 2: Cyber Criminals
While the teams of money mules are performing the initial stage of the attack, a group of cyber criminals are already attacking the bank’s network infrastructure. The attack begins with a phishing email that downloads/installs a backdoor into the machine. The threat actors then abuse legitimate tools and services to perform lateral movement and asset discovery.
The cyber criminals leverage legitimate tools and services already installed in the system, such as PowerShell and PSexec to perform lateral movement and asset discovery. It is also indicative that PuTTY Link (plink.exe) was one of the toolkits used for the lateral movement stage. Additional software, like the monitoring tool Mipko, was also installed to capture screenshots and keystrokes. This allows the attackers to study how the bank's system works, as well as to steal login credentials. Leveraging these tools allows threats actors to blend in with normal network traffic or IT/system administration tasks.
The cyber criminal's main goal is to take control of the bank’s card management application system. Using the credentials that they were able to capture, they log into the card management application system using privileged accounts to manipulate the overdraft limit of the debit cards associated with the rogue accounts, as well as remove anti-fraud controls for these accounts.
- Team 3: Money Mules
The role of this group of money mules is to withdraw cash from selected ATM machines located in different cities using the debit cards of the rogue accounts.
This is a synchronized attack i.e. the entire operation was carefully planned. The team of money mules was assigned in select ATM terminals in Europe and Russia, carrying the debit cards of the rogued bank accounts. Once the team of cybercriminals manipulates the overdraft limit, they immediately give a green light to the money mules to withdraw the cash from the ATM terminals. The manipulation of the debit cards' overdraft limit and the withdrawals take place almost simultaneously. This well-coordinated attack is a strong indication of organized crime activities.
TREND MICRO PRODUCT SOLUTIONS
Messaging products such as InterScan Messaging Security Virtual Appliance (IMSVA) and ScanMail for Exchange (SMEX) can block phishing emails related to this attack. Both products check for email reputation, web reputation of the embedded links, as well as file attachments and macros in MS Office documents.
Trend Micro already detects the main backdoors used for this attack using pattern 13.717.00.
- TROJ_LOADER.YMNIA
- TROJ_MBRWIPE.B
Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks. It performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network.
Predictive Machine Learning detects the backdoors used for this attack as the following:
- Troj.Win32.TRX.XXPE002FF019
Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.
Web Reputation service already blocks all of the command and control servers related to this attack.
- 192[.]52[.]167[.]228
- 192[.]52[.]167[.]28
Deep Discovery Inspector provides traffic inspection, advanced threat detection, and real-time analysis — all purposely built for detecting targeted attacks. The following are the rules available (but not limited to) that can help detect command and control detection and lateral movement related to this attack:
- Command and Control
- DDI Rule ID 26: C&C callback attempt
- Lateral Movement
- Rule 597 - PsExec – SMB
- Rule 1847 - PsExec - SMB - Variant 2
- Rule 1751 - Possible PsExec Tool Detected
- Rule 626 - Successful log on to TELNET
- Rule 35 - Executable file dropped in administrative share - SMB
Deep Security has an IPS solution that can help monitor traffic associated to this attack (but not limited to).
- 1006906 - Identified Usage Of PsExec Command Line Tool
- 1002487 - SSH Client
- 1002475 - Telnet Client
- 1003595 - Detected Telnet Server Traffic
- 1007114 - Portable Executable File Uploaded on SMB Share
These are legitimate applications typically used by administrators for day-to-day management tasks. However, in the hands of a cybercriminal, these tools can become powerful weapons that can be used to perform a wide array of malicious activities.
File Name: plink.exe
Description: A command-line utility for PuTTY which can be used for non-interactive SSH session to execute remote commands
File Name: netscan.exe
Description: This program can be used for lateral movement and asset discovery. It has the ability to perform ping commands, ports scanning, network shares discovery, retrieve info about network devices, among others. This tool also supports remote SSH and PowerShell command execution
File Name: mpk.exe, mpkview.exe
Description: Legitimate monitoring tool to capture screenshots and keystrokes
File Name: Psexec
Description: Microsoft Sysinternals command line based remote administration tool that allows remote execution of processes on other systems
BEST PRACTICES FOR IT ADMIN
- User education about social engineering attacks
User education and awareness helps improve everyone’s security posture. Organizations should conduct regular training to ensure that employees have a solid understanding of company security policy, procedure, and best practices.
- Application Whitelisting
A good protection for endpoints is application control a.k.a. application whitelisting. IT administrators can determine the list of programs/files/processes that can run on their network computers via application control. They can create lists based on an inventory of their existing endpoints or by category, vendor, app, or other dynamic reputation attributes.
- Legitimate Tools and Services
Cyber criminals are increasingly abusing legitimate tools or services already in the system. Limiting and securing the use of programs and services, such as PsExec and Powershell, can help prevent attackers from misusing these tools.
- Network Segmentation
Proper segmentation of networks can help defend against targeted attacks in various ways. This makes the task of lateral movement within a targeted organization’s network more difficult. Network segmentation serves as a defense-in-depth strategy that increased the effort that an attacker has to expend to successfully compromise an organization.