Over 100 banks hit by sophisticated cyberattack

Discussion in 'malware problems & news' started by Thankful, Feb 14, 2015.

  1. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Here's a link to the NYT's story that the Yahoo story says it's based on: LOL didn't realize I was on the NYT, so seeing as how I used up one of my ten free articles for the month, might as well share the link. It's a fairly extensive/detailed/interesting story. Quite interesting for anyone else willing to give up one of their free views :) Saw the NYT's story before reading this thread.

    http://www.nytimes.com/2015/02/15/w...on&region=bottom-well&WT.nav=bottom-well&_r=0
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Wow, if this is really true, then it's really painful for the ones in charge of network security. But I'm sure that there were "insiders" involved with the hacking, I don't believe you can hack the system (with full control) from the outside.
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    Actually it was, bank managers opened infected attachments, what a surprise. I wonder, how could that have happened. :argh:

    http://rt.com/news/232627-banks-hacked-russian-expert

    If they would not find out about it by an accident, no one would miss anything, a perfect crime.
    I wish, I would have so much money, that I would not miss a few millions dollars. :doubt:
     
  5. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    The Great Bank Robbery: the Carbanak APT - Securelist
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    http://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/
     
  7. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    https://www.fox-it.com/en/press-releases/anunak-aka-carbanak-update/

    http://www.group-ib.com/index.php/o-kompanii/176-news/?view=article&id=904
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I've read about the attack, and it seems I was wrong, the attack succeeded without any help from the inside. I think this attack is a huge marketing opportunity for anti-exploit and sandboxing tools, they would all have stopped this attack, most likely.
     
  9. 142395

    142395 Guest

    Possibly so, probably not. Those employee opened unknown email attachments, and they didn't keep up-to-date (no 0day is used!). Usually when a company follow such terrible security policy, there're plenty of rooms to infect them. But opposite is also true that, if a company follow best practice and still get infected, I don't fully believe those solution can surely block such advanced attack.
    I very appreciate those solution which save you from human weakness to some extent, but relying those solution is basically bad idea, what most matters in corporate security is valid and viable policy (actually for home user too).
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I don't see why not, there wasn't anything "high tech" about this attack. I've read they used email attachments and MS Word exploits. The first one would be contained and stopped by Invincea FreeSpace, the second one by HMPA/MBAE, most likely of course.
     
  11. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    Personally, I don't understand how an industry with billions/trillions of dollars can run personal stuff and work related stuff on the same network.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes exactly, and I would also love to know which security tools they are using, and how it's configured.
     
  13. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    I have worked as a contractor (systems and networking projects) for many at-home large banks and some international banks, credit unions and trust companies. The large banks have a myriad of different departments, all servicing a specific segment of the market. In my experience most of them have a centralized IT department that manages all the computing activity as well as setting up all the usage rules. They vary widely in technical skills and awareness. I've had the pleasure of working with some very competent and disciplined technical staff, however there are also many that are incompetent and downright dangerous. At the core of some of these organizations I have come across IT departments that have been grossly understaffed and woefully uneducated in systems management. This is one of the reasons why these banks hire contractors to work with their staff. As a contractor who had access to the VP execs I pretty much spoke my mind. Some were astounded when I told THEM that they were not exempt from the rules of usage. Some of the branches were like fiefdoms run by despots, all exempt from system usage rules. They put the bank and its customers at risk and the IT department often would have no sway over them. Corporate culture plays a significant role with these behemoths. They do address security with secured intranets, products, tools and procedures, but their achilles heal is staff and executive discipline.
     
  14. 142395

    142395 Guest

    I think emmjay already explained it. Some people misunderstand security is deploying products, but it's not. Actually what products they used is not much important as long as they deploy sth reputable products. Yes, it was not advanced attack at all (Kaspersky clearly stated this so they didn't exactly call it APT), so I gave 2 extreme cases and it's obviously the former case. But remember, it's still targeted attack. In targeted attack, the first win is not the total win. If attacker failed initail intrusion, then he have an option, continue to attack by different way or switch to another target. There're some statistics how many effort avarage targeted attacker spend to one target, but anyway when such a high value target like mega banks, giving up just because initial attack missed is quite unlikely (and they are at least quite pesistent). And what important is, probably many of those victim company are what emmjay described as downright dangerous. Although company often have to open email attachment (otherwise they may miss important info) and there can be good reason not to patch soon (it's common for large company to test enough before patch), still I highly doubt they had well managed security policy and practice, and in that case probably well designed social engineering will be enough to infect them. It's all just a guess, but based on known incidents on targeted attacks. For corporate security, especially to protect from targeted attack, what matters first is policy, and of course practice & management. You know whatever good product you give for a very novice, if he is ultimate click happy and willing to disable products to surpress warning he will be finally infected. It's too extreme example and disabling product is not possible in any decent company network, but not much far from known facts.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, this is what I thought.

    The point that I'm trying to make is that if anti-exploit and/or sandboxing was employed, this attack would have failed even with "click happy" employers who don't know a thing about security. But I don't know how hard it is to employ these tools on a (complex) corporate network.
     
    Last edited: Feb 19, 2015
  16. 142395

    142395 Guest

    If exploit failed, use only social engineering. If it failed due to sandbox, then make him to open malware outside of sandbox (probably more clever socai engineering is needed), or use completely other way e.g. USB which many employee plug to their computer w/out doubt (proved by many pentester; just an example). This is the nature of targeted attack, as I said first win is not total win in targeted attack.
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  18. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    https://www.csis.dk/en/csis/blog/4710/
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Digitally signed malware is really becoming a problem. That's why it's best not to rely on "certified applications" like some HIPS do.
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, or execution control. As always - attackers only have to find one hole, defenders have to cover them all (even those they don't know about).
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://www.bloomberg.com/news/artic...oved-currency-rate-with-malware-group-ib-says
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but it also depends on if employees sometimes do need to open certain files. And in theory you could also use an infected MS Office document to infect the system with some trojan. But yes, if possible I would always recommend white-listing.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.