Security Week 06: bank robbery on the stream, breaking the grid, Poseidon / Amebey / Kianokhet

Three of the most popular news of this week came to us from the warm (+20) Canary Islands, where the Security Analyst Summit, an annual conference of security experts organized by Kaspersky Lab, took place on February 8 and 9. As in the past year, # TheSAS2016 was rich in large investigations, which were the result of many months of expert work. Such investigations provide a slightly more understanding of the direction in which the threat landscape evolves than important, but still fragmented, "routine" news about vulnerabilities, hacks, and so on. What changed? Three key presentations at the Summit last year were devoted to APT-class attacks — complex cyber operations, using the most advanced and expensive tools to develop, aimed at the longest presence in the victim system. More about them - here .

This year, the activity of the threat actors, most likely sponsored by the state, was also actively discussed, but the key research was more about targeted attacks on business. The difference is important. Expensive operations a la The Equation are perceived as something very dangerous, but directly to "ordinary" companies are not threatening. And even if the business becomes the subject of interest of the organizers of the attack, it seems that nothing can be done about it - there is no reception against scrap (in fact, there are tricks). This year's research is more about business as usual - attacks on companies using standard tools (no modified firmware for hard drives), with sharpness and active preliminary exploration. In such cases, advanced cyber weapons are usually not used, but there is damage, loss of reputation and a full set of other unpleasant consequences for the business.

And further. Attack methods and malware that qualify for the highest cyber category, very quickly become a routine tool available to more and more criminal groups. Look at the research in detail. All issues of digest - here .

Bank robbery: Carbanak and not only
News Blogpost with pictures. Research
')
Carbanak is the news from last year's Security Analyst Summit. Then the researchers of the "Lab" revealed the details of a complex attack on financial institutions. The attack was distinguished by the use of sophisticated tools to penetrate banking networks, and the ability to use banking tools to steal money, so as to leave as few traces as possible. This year we found three followers of Carbanak at once - one of them is clearly the work of the same cybercrime group, two more - independent operations, with their own tools and methods of attack, but with the same goal: to steal real money.



More information about all three attacks can be read on the links above, but I will focus on the most interesting details. The organizers of the Metel attack used an extraordinary withdrawal system: as a result of the hacking of the banking network, they were able to withdraw money from the cards and immediately roll back the operation. That is, in fact, in the hands of intruders turned out to be "bottomless" credit cards. The key advantage of this approach was the ability to conduct a withdrawal operation as soon as possible, with a limited set of cards emptying ATMs at night. The danger of this method for companies is clear: very little time is allotted for responding to and blocking the actions of intruders. All this is in full accordance with our predictions of the end of 2015 on the evolution of business attacks. Unlike APT, threats in which there are advanced hacking tools and tactics of prolonged stay in the victim’s network, new attacks do not necessarily use really complex methods, and they don’t take months or hours to complete the whole operation. Hit and wounds.

The GCMAN grouping used electronic money to withdraw funds, and attacked with traditional methods, in particular by sending phishing messages. The use of mostly legitimate programs (putty, VNC, and so on) is remarkable here. Finally, the main feature of the Carbanak 2.0 attack was not at all the hacking methods, but the expansion of the list of potential victims. Digital “robberies” are no longer limited to withdrawing funds through ATMs or chains of bank accounts: the financial departments of large companies are also under attack.

How to actually break the grid? Honeypot responds
News

In his speech at SAS2016, researcher Devan Chowdhury from MalCrawler shared an interesting experience of “luring” the attackers into a specially crafted “energy” honeypot. Hanipots are actively used to catch malware, and the benefits of them are obvious: instead of a real system, a specially created one is substituted for the attacker, and the attack features are investigated without causing any real damage. In the case of critical infrastructure, everything is more complicated: “emulation” should be as plausible as possible, which means that you need to install specialized control software and send plausible responses through it to attempts to break any power plant, while in reality there is no power plant.



Chaudhuri studied the attacker's tactics, providing pre-specified vulnerabilities in the bait - the wrong configuration, an open WiFi network, and so on. In most cases, attackers were limited to intelligence: they pumped out prudently laid out files on the way of hacking, tried to map out physical objects to which the attacked system gives access. But there were also those who were not interested in documents and intelligence - they immediately began to attempt to bring the power system down.

How realistic is it to make a blackout with such methods? According to the researcher from MalCrawler, the price of "entry" for those who want to sabotage is still high. Citing Stuxnet as an example, Chaudhuri assumes that the main budget of such groupings falls not on the “IT” part, but on the analysis of the work of the specialized “hardware” and “software”. Before you try to bring down something, you need to very clearly understand how the power grid or a similar object works. In fact, this means the construction of real models, with real iron, the need to understand the intricacies of customization.

All is well? Not really. Above — in the history of hacking banks — we also talked about specialized software and access to restricted information about the methods of operation of financial systems. To carry out the operation to create a "bottomless" credit card, you first need to know how to do it, how not to attract the attention of security systems and information security specialists in the attacked company. And it somehow managed. Therefore, the main conclusion from the study of Devan Chaudhuri is that there are already those who want to break critical infrastructure facilities right now. Suppose they are still (presumably) unable to cause serious damage, but obviously you should not wait for them to finally learn.

Poseidon. Localized Targeted Attack with global implications.
News Blogpost Research

Our experts called the Poseidon campaign a “custom malware creation boutique.” This explains the difficulty of detecting an attack: when a unique or almost unique set of tools is created for each victim, it is very difficult to “combine” individual incidents into a general investigation. Nevertheless, it was possible to do this, perhaps partly because of an extraordinary way of monetization: having hacked another company, the organizers of the attacks demanded money from the victim for “services” on “informational” “security”. Naturally, the payment of money by the victim did not guarantee anything: in some cases, unauthorized access was maintained.



Having put together all the information about the group, the researchers of the “Laboratory” determined that it was valid for at least 10 years, and the earliest malicious code attributed to this campaign dates back to 2001. Accordingly, even Windows 95 appears on the list of targeted attack systems. The most important feature of Poseidon is geographic location. Most of the victims of the campaign are in Brazil. That is, business from other countries can relax? Not really. The group’s attention was also attracted by foreign companies, either operating in the country or interacting with companies from Brazil. Victims were found in the USA, Russia, Kazakhstan, India and other countries. Total: a criminal campaign that creates targeted hacking tools for each attack, again without super-advanced techniques and code, but has been working successfully for over 10 years.

What else happened:
Another study by Lab experts at the Security Analyst Summit: Adwind cross-platform Java backdoor. Adwind is a representative of a rapidly growing market for cybercriminal services: the backdoor authors sell it “for inexpensive” to everyone, and usually this malware-by-order is used to attack users. But in this case, we detected attacks on companies, so using the example of Adwind, we can estimate the potential of targeted attacks even on small businesses: access to such hacking tools costs literally a penny.

The next fake antivirus for Mac OS X would not be anything special if it were not for one thing: this instance of scareware is signed with a legitimate developer certificate, and accordingly Gatekeeper’s defender integrated into Mac OS X does not notice it.

Antiquities:
"Disk-Filler"

A very dangerous stealth virus, affects the boot sector of floppy disks and the MBR of the hard drive when accessing the disk. When a boot sector is infected with a floppy disk, it formats an additional track on it (40th at 360K and 80th at 1.2M) and writes its own code there. Then the virus embeds its head into the Boot sector of the floppy disk in such a way that the codes of the original Boot sector remain virtually unchanged. When infecting the hard drive has its body immediately behind the MBR. In the MBR itself, the virus changes only the address of the active boot sector and sets it on the sector containing the beginning of the virus.

When running, COMMAND.COM moves itself to the memory area with lower addresses. Depending on the system time, it deciphers and displays the text, then “draws” in the FAT sectors a picture:



Also contains text: "command.com". Intercepts int13h, 1Ch, 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 99.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.