by Bharat Mistry
Cyber-attacks are happening all the time. In fact, the one certainty CISOs should have today is that their organisation has either already been compromised, or it will be breached at some point in the future. But many of the most dangerous attacks are the ones designed to slip under the radar unnoticed — in many ways the opposite of your typical ransomware outage. This week, one of these sophisticated attack campaigns was revealed: a gang targeting US and Russian banks as well as a UK financial software provider. It’s already netted $10m (£7.5m) for the hackers, who are still at large.
Those familiar with Trend Micro’s yearly predictions pieces will be interested to see techniques utilised by the gang were highlighted in our 2017 and 2018 reports. While it’s good to see that our predictions are on the money, it’s another reminder for firms to double down on security as we enter the new year.
A sophisticated raid
MoneyTaker is a highly sophisticated threat group that has launched over 20 successful raids on banks and other organisations over the past 18 months or so. It uses an eponymous home-grown piece of “auto replacement” malware to substitute payment details in the interbank transfer system. Money mules then withdraw the cash in huge sums averaging $500,000 — made possible because the hackers have lifted maximum withdrawal limits. It’s all done very discreetly, with the gang using fileless malware to reduce their footprint.
The hackers have launched successful attacks against banks using the STAR and AWS CBR interbank networks, and have stolen information relating to SWIFT — the network infiltrated by the Bangladesh Bank hackers. This is classic Business Process Compromise (BPC) territory: a tend we predicted last year and this. It requires a deep understanding of the target organisation’s networks and processes, enabling the hackers to infiltrate — in this case — payment systems and then disappear without a trace.
But how is the initial compromise achieved? By using the popular pen testing tool Metasploit to probe for vulnerable applications, exploit those flaws and then escalate system privileges. Once again, vulnerabilities were the Achilles heel of the affected banks, just as they are for so many organisations.
We said as much in our Paradigm Shifts report, highlighting the fact that software flaws enabled major attack campaigns in 2017 including WannaCry, NotPetya and Bad Rabbit. As MoneyTaker has shown, vulnerabilities can be exploited in sophisticated targeted attacks just as they can enable very noisy mass infection campaigns. The result is the same, data theft, service outages, and huge financial and reputational repercussions.
The coming year could see an increase in both as cyber-criminals and nation state operatives try their luck by exploiting known and patchable bugs. Organisations must get ahead of the threat through effective patch management. Virtual patching can help to keep systems safe if for some reason full patches cannot yet be applied.
When it comes to BPC, however, there’s no easy fix. It will require a combination of behaviour monitoring and intrusion prevention, opsec red team exercises and regular pen testing, enhanced employee training and awareness programmes and more. The good news is that these attacks are still pretty rare, given that they take a far greater investment of time and resources by the black hats.
But the bad news is: they’re on the rise.