Attacking a bank client or Hunting a million
Modern man has all the variety of malicious software described by the word "virus". However, viruses in their classical understanding (having a self-replication of the main feature) have not occupied a leading position in the rating of computer threats for a long time. Worms and Trojans took the first place - they can extort money (the infamous Trojan.Winlocker and Trojan.Ransom), collect information about the user (passwords and contact lists for which they are sent to increase coverage), and steal large sums of money without the knowledge of the victim (and she can be as a simple user, and a large company or bank).
It is obvious that attackers are engaged in writing malicious code not for the sake of entertainment - the image of a teenage hacker breaking a local school network is a thing of the past. Now cybercrime is a huge and very rich shadow market with a large turnover, growing every day.
It is rather difficult to assess the scale of the situation - it remains to be judged only by news feeds, in which “malware”, “fraudsters” and astronomical amounts of money are more and more often mentioned. But even this approach does not give a complete picture - information on most cases remains inaccessible to the general public (due to the imperfection of the legislation of the Russian Federation, which does not require the company to disclose information in case of leaks of personal data). It should be understood that information in the press is rarely detailed and describes incidents in general terms without specifics, which is why the reader does not associate anything that happens with real life. The case described below occurred quite recently in one of the Russian companies, whose representative appealed to us, as a developer of information security solutions, with a request to assist in the investigation of the incident and shared information.
')
I managed to talk with the system administrator, whose company only thanks to a lucky chance did not lose a million rubles, and the scenario of this incident looks more like a plot of a movie about burglars than events in real life. For obvious reasons, the system administrator chose to remain anonymous.
In this case, the Moscow company, which is a client of one of the major banks, became a victim in this case. The reason why intruders are interested in this particular company is the use of remote banking services provided by the bank. With one of the machines of the company's computer park, regular access to the services of the Bank’s remote banking service was carried out, it was this computer that was attacked.
Despite the antivirus installed in the system (by the way, from a sufficiently well-known manufacturer), the malicious code was implemented and executed without any obstacles. This is a vivid example of the failure of signatures to combat targeted attacks and zero-day threats.
It was not by chance that the date of the attack was chosen - everything happened on December 29, in fact, just before the New Year. If the attackers managed to carry out their plan, they would not have noticed the loss for at least another ten days.
Unfortunately, we could not figure out how the malicious application got on the attacked machine. But with a certain degree of confidence, it can be argued that the matter was not without the actions of insiders. One of the confirmations is a unique malicious code that was not noticed by the antivirus (and, accordingly, is not located in the anti-virus databases). If it were a massive attack, it would have been noticed quickly enough, the malware signature would have been added to the bases almost the next day, after which the attacker's plan would have failed.
Accordingly, there should have been someone who had information about the use of the RBS company, approximate amounts, and even, possibly, about the information security tools used by the company.
Considering the possibility of insiders participating in this incident, the malware could get into the system in any way — sent by e-mail from a trusted sender, brought on a flash drive by one of the company's customers, or even started up manually by an insider on the machine.
The Trojan turned out to be a malware, either managed remotely or operating autonomously. It is only known that the Trojan worked according to the following scenario:
• Waiting for the moment of connection to the key system (certificate issued by the bank, located on external media)
• key reading
• Read login and password for remote banking access
• A request to transfer money to a hacker's account - there was an attempt to withdraw approximately one million rubles (in the case of autonomous work, just sending all the data to the attacker)
• Downloading an application called kill.exe, which destroys the traces of the malware’s hostage very roughly - killing the entire system (the application created a file in the driver directory that, when you tried to read, the system crashed)
Traces of the attacker's actions were detected only after the attacked machine was put out of order, and then only by logs remaining on the proxy server. From the loss of a substantial amount of money, the company was saved only by a fluke - the attacker tried to withdraw a fixed amount of money, which was not in the account, because shortly before that, the company employees were paid a salary.
This incident is not the first, and certainly not the last in the history of cybercrime. The accident that saved the company's finances is just a succession of circumstances. Not everyone was so lucky - according to the system administrator, another partner company became a victim of fraudsters, whose account was taken six times more money. They can only hope for a successful outcome of the investigation.
It is obvious that attackers are engaged in writing malicious code not for the sake of entertainment - the image of a teenage hacker breaking a local school network is a thing of the past. Now cybercrime is a huge and very rich shadow market with a large turnover, growing every day.
It is rather difficult to assess the scale of the situation - it remains to be judged only by news feeds, in which “malware”, “fraudsters” and astronomical amounts of money are more and more often mentioned. But even this approach does not give a complete picture - information on most cases remains inaccessible to the general public (due to the imperfection of the legislation of the Russian Federation, which does not require the company to disclose information in case of leaks of personal data). It should be understood that information in the press is rarely detailed and describes incidents in general terms without specifics, which is why the reader does not associate anything that happens with real life. The case described below occurred quite recently in one of the Russian companies, whose representative appealed to us, as a developer of information security solutions, with a request to assist in the investigation of the incident and shared information.
')
I managed to talk with the system administrator, whose company only thanks to a lucky chance did not lose a million rubles, and the scenario of this incident looks more like a plot of a movie about burglars than events in real life. For obvious reasons, the system administrator chose to remain anonymous.
Purpose - bank customer
In this case, the Moscow company, which is a client of one of the major banks, became a victim in this case. The reason why intruders are interested in this particular company is the use of remote banking services provided by the bank. With one of the machines of the company's computer park, regular access to the services of the Bank’s remote banking service was carried out, it was this computer that was attacked.
Despite the antivirus installed in the system (by the way, from a sufficiently well-known manufacturer), the malicious code was implemented and executed without any obstacles. This is a vivid example of the failure of signatures to combat targeted attacks and zero-day threats.
It was not by chance that the date of the attack was chosen - everything happened on December 29, in fact, just before the New Year. If the attackers managed to carry out their plan, they would not have noticed the loss for at least another ten days.
Attack scenario
Unfortunately, we could not figure out how the malicious application got on the attacked machine. But with a certain degree of confidence, it can be argued that the matter was not without the actions of insiders. One of the confirmations is a unique malicious code that was not noticed by the antivirus (and, accordingly, is not located in the anti-virus databases). If it were a massive attack, it would have been noticed quickly enough, the malware signature would have been added to the bases almost the next day, after which the attacker's plan would have failed.
Accordingly, there should have been someone who had information about the use of the RBS company, approximate amounts, and even, possibly, about the information security tools used by the company.
Considering the possibility of insiders participating in this incident, the malware could get into the system in any way — sent by e-mail from a trusted sender, brought on a flash drive by one of the company's customers, or even started up manually by an insider on the machine.
The Trojan turned out to be a malware, either managed remotely or operating autonomously. It is only known that the Trojan worked according to the following scenario:
• Waiting for the moment of connection to the key system (certificate issued by the bank, located on external media)
• key reading
• Read login and password for remote banking access
• A request to transfer money to a hacker's account - there was an attempt to withdraw approximately one million rubles (in the case of autonomous work, just sending all the data to the attacker)
• Downloading an application called kill.exe, which destroys the traces of the malware’s hostage very roughly - killing the entire system (the application created a file in the driver directory that, when you tried to read, the system crashed)
Traces of the attacker's actions were detected only after the attacked machine was put out of order, and then only by logs remaining on the proxy server. From the loss of a substantial amount of money, the company was saved only by a fluke - the attacker tried to withdraw a fixed amount of money, which was not in the account, because shortly before that, the company employees were paid a salary.
How many times have they told the world
This incident is not the first, and certainly not the last in the history of cybercrime. The accident that saved the company's finances is just a succession of circumstances. Not everyone was so lucky - according to the system administrator, another partner company became a victim of fraudsters, whose account was taken six times more money. They can only hope for a successful outcome of the investigation.
Source: https://habr.com/ru/post/113749/
All Articles