CyberWire Daily - Shake Your MoneyTaker. [Research Saturday]
Episode Date: January 13, 2018A group of Russian-speaking hackers have stolen nearly $10 million from banks around the world. Group-IB, a company with expertise in computer forensics, information security and, specifically, Russ...ian‑speaking criminal groups, have named these thieves MoneyTaker. Nicholas Palmer is the director of international business development at Group-IB, and he's joined by their head of threat intelligence, Dmitry Volkob to explain the MoneyTaker group's schemes. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more at zscaler.com slash security.
Originally, we conducted a number of forensics investigations in Russia connected to Russian banks, one of them being successful attacks, and the other was thankfully thwarted
by the security department at the particular bank in question.
That's Nicholas Palmer. He's the director of international business development at Group IB,
a company with expertise in computer forensics, information security, and specifically Russian
speaking criminal groups. We're discussing Group IB's research into a group of Russian-speaking
hackers who've stolen nearly $10 million from banks around the world, a group they've named
MoneyTaker. We'll be joined in a bit by Group IB's head of threat intelligence, Dmitry Volkov.
But for now, back to Nicholas Palmer. Another bank in Russia was attacked in 2017 this year,
but those early in 2016 were some of the original
attacks that we did see. And so you get wind of this through that. And then how does your
awareness of it spread to around the globe? Actually, a number of banks in the U.S. were
affected by, we didn't know at the time, obviously, but by a particular targeted attack group.
And through some of the channels that we have, we were provided with IP addresses and some files to analyze and try and provide a little bit more context on the events that some of the banks were seeing.
Actually, one of the U.S. banks was attacked twice.
And this is some of the information that we received.
And through that analysis, we were able to identify money takers infrastructure.
And looking at Metasploit logs, we were able to identify numerous other attacks that had taken place by this particular targeted attack group.
So take us through that initial attack that you investigated.
What was the discovery there?
We have an interbank system, a wire transfer system,
named ARM-CBR, which is a Russian analog of SWIFT.
That's Dmitry Volkov. He's Group IB's director of threat intelligence.
The main goal was to get inside the bank,
find a isolated network with ARM-CBR,
and send funds using this interbank transfer system.
So for this purpose we developed actually a tool which we named MoneyTaker.
This is actually a source of name for our report and name for cybercriminal group.
Using this tool we were able to replace payment details during sending funds from one bank to another for a specific amount of money.
Actually, after that, we did a successful money laundering scheme here in Russia.
The average damage with two incidents was $1.2 million.
If we convert, of course, rubles to dollars.
So let's go into some of the details of how MoneyTaker works, particularly this sort of
fileless system that it uses and the way that it manipulates these banking records.
Yeah, absolutely. So, I mean, in terms of being fileless, certainly a lot of the different
targeted attack groups are conducting phylus attacks now.
In the way that they attack AWS CBR, the Swift analog system in Russia, it's actually
not overly complex. By analyzing the specific money taker tool that was hosted on this
infrastructure that we were analyzing, you can see that there's actually four different
modules included in this money taker
tool that they used. There's a main module, a module for replacing payment data, a module for
replacing and hiding the fraudulent transactions so the other bank doesn't know about it.
And that's really the scheme. So they intercept the payment message, they replace it with
new instructions, and they hide their traces so that
the operation will be complete. So it's actually a fairly common in this day and age methodology,
but a unique tool for this particular group. And what was the initial way that they got into
the systems? Actually, with the incident response that we conducted, we actually didn't find the
initial attack vector, which was very common in a lot of
cases that we did investigation on. Even when we looked at their infrastructure, it wasn't exactly
clear how the target attack group got into the bank, what the initial infection vector was.
And this is one of the signs from the group. They're very good at hiding their traces
and deleting any trace of the initial infection vector. In the last incident in Russia in 2017,
we found that Fred Tector initially infected the home computer of our administrator of the bank.
And using that computer and his legitimate remote access to the banking network,
the access was connected into the bank network.
And then a little movement from one host to another and
then to a isolated network of banking systems. But we still don't know how they initially infected
his home computer, because after the incident, unfortunately, administrators and actually
probably Fed actors deleted all traces pretty carefully.
Now, there have been several groups of incidences here.
You all have grouped these attacks into three groups.
Can you take us through what those are?
Yeah, absolutely.
So essentially there's three different groups that we're looking at.
You know, the two incidents that occurred in Russia in autumn of 2016,
a number of different incidents that occurred in the United States and in the UK,
and then the one additional incident that we again witnessed in autumn of 2017.
So that's kind of the three different groups that we kind of see with this attack.
Now, take us through their attacks on card processing.
After gaining access to the corporate network, again, they're going to look
for isolated systems within the bank. To do so, they escalate privileges using a number of
different publicly available tools. They use old vulnerabilities, for example, in group policy
preferences to gain access to administration credentials on the domain controller. And from
there, they actually would get access to the
card processing systems within the financial institution, open up legitimate accounts within
the organization, change withdrawal limits, and actually conduct withdrawals at ATMs or otherwise
and complete the fraud. And I saw in the report that the average loss caused by one attack was half a million
dollars. In the U.S., we identified the average losses at about half a million dollars. And this
was actually confirmed by the STAR organization in one of the news quotes. I can't remember exactly
one, but that was confirmed by a third party as well. Yeah. Can you describe to us, they were
using Metasploit. Can you describe to us how they were using that for this attack?
Well, Metasploit is a very common or general tool used by many cyber criminals, and of course used by not just cyber criminals, but security experts.
We have two instances, main instances. One of them with Metasploit server, and we used that server to manage attack for meta exploit console so every everything
was pretty standard also on the same server hosted some additional exploits which were used to
escalate privileges local privilege some new developed scripts to propagate from the network
to scan network some malicious programs that were used probably for other reasons like some bank intrusions
like chronos citadel remote control tools vnc with different versions and different stages
that were developed to deliver to infected networks and the next server the main purpose
of this server was actually to provide persistence at all so it was almost empty it was
running only http server uh and the main goal of this server was to check if victim uh that is
going to connect to this server is actually a victim whom we're targeting or if it's a security
experts trying to analyze something so we did very simple checks one of them is we checked the user agent field in every
http request if it was equal to win http and then they passed to this second step if it was not
finished ttp we returned the web error so uh the next step actually checked if this IP address that requested malicious payload was whitelisted on that server.
If it was whitelisted, they returned the malicious payload.
If it was not whitelisted, they returned actually legitimate Windows file.
Now, they were also using some SSL certificates using popular brand names.
What was going on there?
Yeah, absolutely. And that's one of the unique indicators that we have for MoneyTaker. Of course,
this isn't a very strong indicator in itself in terms of attribution, but it is something that
we noticed from this particular group by reviewing all of the Metasploit logs that they had. And
actually, in review of some of the SSL certificates, you can see that
the SSL are very carefully designed. And that's not always the case from different targeted attack
groups. You can see in some of the SSL certificates, they use very popular brands like MetaBank or
Bank of America or Yahoo. So all of the SSL certificates that we identified were actually
very carefully designed, which we found very interesting.
It's not always common.
And you state in the report that the attackers are Russian-speaking.
Where does that lead you in terms of attribution?
Let me explain, and probably it will be not very clear, but I hope Nick will help me with translation.
So historically, we have only russian speaking protectors who target
uh russian banks i mean in case of targeted attacks of course why because of language barrier
so it's very hard to be a non-russian speaking guy don't and in fact actually uh bank and successful
getting to get access into internal russian banking systems because it was developed by Russian developers,
by Russian companies with only Russian language
documentation and of course if we speak about
interbank system, this documentation is available
only for Russian clients.
I mean, you should be a bank.
That's why it's really hard to get it.
The next problem
that all interfaces in Russian banks actually running Russian language. That's
a problem from non-russian-speaking guy. But it's not the main reason actually. So
you could be super hacker, sit somewhere outside of Russia for instance in India
and you can get potential access to any system in Russian bank but the next step you
need to send money outside of bank and for this girl you need someone who able to do money in
London scheme in Russia because even if you attack Russian banks not through a swift system but for
arm severe it means that you can send money only to Russian banks, not outside of Russia.
So it means that you have to be able to do money laundering for huge amount of money.
So usually we try to send sometimes millions, sometimes dozens of million dollars within
one day.
So not everyone who declares that he is able to do money laundering is able to accept such dirty money
do carefully money laundering and of course people who can do this we work only with trusted persons
we are really careful and the level such level of traffic is available only between native speakers
this is actually works for both sides so guys could money laundering, we don't want to do such attacks in Russia with non-Russian speaking guys.
This is first.
And the guys who potentially could conduct attack outside of Russia and doesn't speak Russian,
he doesn't trust the guy who's doing money laundering here.
Because if he sent money to his banking accounts, he should potentially get some percent from
after money laundering steps.
But if you don't have trust between these guys with high level of risk, guys who will
do money laundering successfully will not send you back any percent.
Because you can just say, okay, about 80% of all money you send out to the bank
were blocked somewhere in the middle of our money laundering scheme.
Sorry, and forget about them.
And it doesn't work without a certain level of trust.
But there are also some additional indicators who also confirm this version,
like we used email addresses on Yandex Mail, we used hosting in Russia,
and that actually hosting provided do not provide hosting in English, so we don't have
English version site. We also see that we rented this server, we also have communications
with partners who speak only Russian, and I think that's it.
Yeah. So in your estimation, how sophisticated are these attackers? Well, we are good enough, but it's really
hard to estimate if we are good enough to attack
the biggest bank in the United States or maybe in Russia or
other region, because we focus our efforts only on small banks.
And actually, there are two reasons. One of them, because we focus our efforts only on small banks. And actually there are two reasons.
One of them because we are less secure and we don't have proper connections with law
enforcement and we believe that if we attack small banks, the risk that will be real investigation
is lower if we attack, for instance, some big bank, the bank from top 10. so that's where we
target easy victims and when we analyze log files from meta-supply framework we see that we sometimes
allow themselves to do some noisy tricks uh to raise privileges to move from one course to
another course uh it doesn't mean that they are not sophisticated. Probably we just see
that there is no reasons to hide themselves, I mean, in the corporate network pretty well, because
I mean, these banks don't have proper internet security solutions on place or maybe some
procedures. So what is your advice for banks who want to protect themselves from this?
Certainly being aware of some of the tactics and techniques that they use to penetrate in the network to escalate privileges.
Being aware of the most recent tactics by different target attack groups is very important.
I think Dimitri and the team here at Group IB on the intelligence team did a really good job at describing some of the different steps in their attack.
team did a really good job at describing some of the different steps in their attack, you know,
use of specific ports for communication, use of different public tools for RDP access. So I think,
you know, having knowledge of the different attacks that are taking place by target attack groups is critical. Moreover, I think it's important to learn about potentially what are
the next targets, you know, looking at some
of the documents that were exfiltrated during money takers activities show us signs of perhaps
things of interest for this particular target attack group. Looking at some of the documents
that were exfiltrated, we can see SWIFT related administration documents. We can also see documents
connected to Ocean Systems FedLink, and this is primarily used amongst Latin American financial institutions.
So perhaps these organizations should be aware of a potential group that's taking interest in their region.
So this is just the beginning. It's always good to see how community reflects on the report and send us feedbacks with new information. It's very positive.
Yeah.
So people should reach out if they have something to contribute.
Get in touch.
Check out the blog post and get in touch.
Yeah, absolutely.
I mean, you know, that's how we first got on this case after we did the incident response.
And, you know, we share information, technical indicators with other vendors and they share
with us.
This type of sharing helps us uncover and helps other vendors uncover research like this
and really contributes to the security community.
Our thanks to Nicholas Palmer and Dimitri Volkov from Group IB.
You can find out more about the money taker exploit on the Group IB website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. Thank you. where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.