Dec. 19, 2016
London-based cybersecurity company Positive Technologies has released findings from its investigation into an incident in which hackers were able to steal the equivalent of 28,000 pounds ($34,727) in one night from six ATMs belonging to an Eastern European bank.
The company said in a press release the theft could have been far worse if the technique used in the scam had not "clashed" with the bank's existing NCR ATM software, preventing the attackers from withdrawing further funds.
Positive Technolgies also warned the group responsible for the hack will become active in the West soon.
Alex Mathews, lead security evangelist at Positive Technologies, summarized the threat:
Attacks against ATMs are often a preliminary step from which attackers aim to infiltrate a bank's network infrastructure. Modern day 'bank robbers' have realized that many financial institutions fail to adequately invest in security, and that some will even do the bare minimum to comply with required standards. The result is that, from an initial compromise, attackers can often move sideways, burrowing deeper into the network and infecting other systems within the banking infrastructure. Having gained control over key servers and ATM management systems, these criminals will often hit the jackpot with minimal effort and without tripping any alarms. Our investigation found that, for this Eastern European bank, the initial compromise was facilitated by a phishing scam and was successful as employees were spoofed into deploying the malware. This allowed the bank's local network to be compromised with the installation of malware on ATMs from the bank's internal infrastructure.
In its investigative report, "Cobalt — a new trend or an old 'friend'?" Positive Technologies describes the intricate modern methods that were used to target the Eastern European bank, and could be used against other financial institutions, as well. Among the findings:
1) Attackers tend to use known instruments and integrated functionality of operating systems
In this heist, the criminals used commercial software — Cobalt Strike, comprising Beacon, a multifunction remote access Trojan with extensive capabilities for remote system control. This enabled the upload and download of files, an escalation of privileges, and other functionalities. The bank robbers also used "Ammyy Admin," a legitimate freeware combined with Mimikatz, PsExec, SoftPerfect Network scanner, and Team Viewer applications.
2) Phishing emails are still one of the most successful attack vectors due to insufficient security awareness among employees
The initial infrastructure infection vector originated from an employee opening a RAR compressed archive file documents.exe. The archive file was emailed to the employee, and the attached document contained the malware.
Mass phishing emails imitating financial correspondence or security messages were sent to a number of the bank's email addresses in the months preceding the heist. Several employees opened the malicious file, but the one who launched the malware was using a workstation with an antivirus engine that was either disabled or outdated, allowing the malware to deploy.
3) Targeted attacks are becoming increasingly well organized and distributed
The initial attack began in early August. At the beginning of September, after a steady deployment in the infrastructure, the hackers launched a chain of attacks to detect which workstations were used by employees responsible for ATM operation and payment card use.
In early October the attackers uploaded malware to the bank's ATMs and carried out the heist. An operator sent commands to ATMs, and individuals known as "drops" visited the machines at an appointed time to collect the cash. Specialized malware instructed the ATM to a drop at the command of the attacker; drops themselves did not need to perform any manipulations of the ATM.
While investigating the incident, Positive Technologies gathered host and network indicators of compromise, which were sent to authorities to be shared with other financial institutions in the hopes of preventing similar future attacks.
View the full report.