Search the Community
Showing results for tags 'carbanak'.
This week's headlines have been security heavy thanks to the influx of news coming from Kaspersky's Security Analyst Summit. We've seen Kaspersky report everything from a $1bn cyber bank heist operation, to potentially NSA-sponsored and Middle Eastern advanced persistent threats. Specifically we saw threat research papers on the Carbanak, Equation and Desert Falcons attack campaigns. Carbanak is a banking-focused cyber operation that is believed to have stolen $1bn from 100 banks in more than 30 regions using specialist attack tools. Equation is a dangerous hack campaign, believed to have stemmed from the US National Security Agency, that uses a selection of attack tools, including one that can infect the operating systems on hard drives. Desert Falcons is a Middle Eastern cyber mercenary group that is believed to have infected thousands of Windows and Android devices with over 100 different malware variants. Each of these campaigns has its own specific implications for security professionals and the industry in general, but there is one unifying factor for me that is the most interesting: all three used phishing as a primary infection tactic. Phishing, for those who don't know, is an attack that aims to spread malware using infected messages that often masquerade as stemming from a trustworthy source. The message system used in phishing campaigns can include everything from Facebook posts and instant messages, to tweets and basic email. The campaigns are sometimes fairly basic and easy to see through, such as the Nigerian prince emails that circulate offering incredible sums of money in return for bank details, while others can include a social engineering element and are made to look like invoices or corporate communications. The attack strategy may sound simple enough to stop, but for me the trio of threats highlighted by Kaspersky show that most businesses still haven't addressed the phishing threat. There are likely to be several reasons why phishing still works so well. One of the most common that I hear from talking to industry professionals is that many businesses still assume that security is an out-of-the-box technological issue, not a cultural one. Despite constant warnings from security providers and government departments, many companies still assume that, if they have basic perimeter defences in place, they have ticked the security box and don't have to worry about cyber attacks, such as phishing. Sadly, this simply isn't the case. The Carbanak campaign is a particularly good example. Carbanak initially targets victims with spear phishing emails designed to look like legitimate banking communications. The messages contain malicious Microsoft Word and Control Panel Applet attachments that exploit flaws in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014-1761) to execute the Carbanak backdoor. The initial infection didn't get the hackers access to the more secure internal systems they wanted to breach, but it did get them far enough into the network to begin a reconnaissance phase targeting bank employees, particularly systems administrators. From here, using information stolen during the reconnaissance phase, the attackers were able to get to the companies' crown jewels and steal vast sums of money. The key takeaway here is that firms need to back up their defence technology with robust cyber security awareness, using education programmes that not only teach staff how to spot and avoid falling victim to phishing messages, but how to report incidents to the IT team. Incidents will, of course, still occur; some of the social engineering behind phishing is seriously impressive and can lead to very realistic looking communications. But it would help dramatically to reduce the hackers' win rates and profit margins, a development I think everyone on the right side of the law would regard as positive. Hopefully, while bad, the discovery of Carbanak, Equation and Desert Falcons will at the very least make some firms aware of this. Although, considering my past experience covering the fallout of these attack campaigns, I'm not holding my breath. Source