Tuesday, 17 February 2015

Banks Hacked And Robbed By Missing Word Updates

About a hundred banks and financial institutions for a period of two years by cyber criminals hacked and robbed because security updates for Microsoft Word had not been installed. According to a published today report of the Russian antivirus company Kaspersky Lab, the gang of cyber criminals gave the name Carnabak. This is the same gang that late last year by the Dutch Fox-IT and the Russian Group-IB was unmasked .

This weekend was the New York Times all with a message about the gang. It stated that Dutch banks had been targeted.Something later by both the Dutch banks as Kaspersky Lab was denied. In an old version of the report, which include Computer Emergency Reponse Teams (CERTs) was dispersed, the Netherlands was mentioned. However, it was in fact a false positive.

Although the New York Times Kaspersky had received a report that newer Netherlands ceased, it still used the information from the old report, says Jornt van der Wiel, analyst at Kaspersky Lab. Another detail that was highlighted in the media is wrong to use recording software. The gang has monitored no security cameras inside the attacked banks, but made ​​via software images from the desktop. This gave insight into the methods and processes within the banks.

It now appeared online report also shows how the attackers went to work. Bank employees who sent emails with Word documents, and in some cases, RAR files containing CPL files. However, there were mainly used Word documents, Van der Wiel. The documents were abuse of leaks in 2012, 2013 and 2014 all were patched by Microsoft. Patches that were missing on the attacked systems. There was in this operation no zero-day vulnerabilities. The advice given to both consumers and businesses, namely installing security updates timely, was not followed by the banks.

Once bank employees with a vulnerable version of Microsoft Office documents of the attackers opened there was malware installed on the system. In some cases, were also used RAR files there, including a CPL file. CPL (Control Panel) files are used for configuration Protect. The programs in the Control Panel as 'System', 'Printers' and 'Programs and Features', all CPL files. They are also used as malware. Furthermore, Kaspersky Lab says that there may be traces of classic drive-by download attacks are detected, in which bank staff when visiting a Web site became infected, but this is not confirmed yet.

Once the attackers had access to the system was installed additional software, such as the Ammyy Remote Administration Tool. Probably the attackers used this tool because it is on a whitelist in many environments. Ammyy gives administrators namely remote access to the computer. Then the attackers tried to steal the credentials of the system. For this, there were internal emails from the infected computers again sent infected Word files. In this way, could be infected, other systems on the network.

Eventually the attackers access to the transaction systems and made the money to other accounts or left-recording infected ATMs. Researchers have one shot where there is to see how someone at night with a bag goes to the ATM of a bank. At exactly 3:00 am spitting automatics the notes from that stopped and taken into the bag by the man.

The damage from the surgery is difficult to determine. Although in the media amounts of $ 1 billion mentioned, this amount is not confirmed. Kaspersky used a calculation method whereby a damage of $ 10 million per bank is used, although this amount is not stolen at all banks. Thus in the report but one victim mentioned that lost $ 10 million and a second bank where 7.3 million dollars were diverted.

Yet Kaspersky multiplied the amount of $ 10 million with 30 affected banks. In addition, there might also be some 30 banks that did not report and the police should also know of some 30 affected banks. For these banks, most of which are located in Russia, $ 10 million was used, eventually yielding an unconfirmed amount of around $ 900 million. The actual damage is probably about $ 300 million or maybe even much lower, Van der Wiel notes. Kaspersky also involves a battle report to hand.

What is certain is that the criminals to strike because the banks did not follow the basic rules for safe Internet, namely the installation of security updates, and do not open unsolicited attachments. Two of the hijacked Russian banks were due to the poor security of their banking license be lost. According to Kaspersky, the attackers are still active.

No comments:

Post a Comment