Darknet Diaries - Ep 35: Carbanak
Episode Date: April 2, 2019ATM hacking. Hollywood has been fantasizing about this since the 1980's. But is this a thing now? A security researcher named Barnaby Jack investigated ATMs and found them to be vulnerable. O...nce he published his data the ATM hacking scene rose in popularity and is is a very serious business today.One of the first big ATM robberies was done with the malware called Carbanak. Jornt v.d. Wiel joins us to discuss what this malware is.This episode was sponsored by Nucleus. Visit nucleussec.com to start your free trial.This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.For more show notes and links visit darknetdiaries.com.
Transcript
Discussion (0)
Hey, what's up?
Not much. I'm just reading.
Cool. What are you reading?
I'm reading Exploding the Phone.
It's about phone phreaking, kind of the history of it.
Sounds interesting.
This is Dade.
That's not his real name. That's just his online name.
I met him at a B-Sides conference once
and was just really impressed with his knowledge of security and hacking.
So I chat him up sometimes and ask him questions on things that I'm researching.
Hey, I'm calling because I want... I'm trying to think, are there any old movies that have like a hacker
getting into an ATM and dispensing cash? Yeah. So there's a, there's a couple, it's kind of a,
a trope in, in hacking movies. You know, most prominently, I think in, in hackers,
they're all sitting around the table at Cyberdelia and Joey's really trying to get all of his his friends attention.
And he's talking about how he hacked this this bank. Right. OK, wait. OK. So it's a bank.
So this morning, look at the paper. Some cash machine in like Bumsville, Idaho, spits out seven hundred dollars into the middle of the street.
That's kind of cool. That was me.
That was me.
I did that.
And then Joey kind of takes credit for it,
and he's like, you know, really bragging.
Wait, wait, wait, hold on. How do you know this much about that one scene in Hackers?
I, you know, I watch it a lot.
I kind of, you know, I picked my hacker handle because of that movie.
It's what inspired me to get into computers in the
first place so like do you know every scene of hackers i know almost every scene of hackers
uh i know most i i can find myself quoting it unintentionally quite frequently that's impressive
that's really crazy um all right so that what year was hackersers? That was 1995. There was actually a couple of ATM hacks before that as well.
In 1985, a movie called Prime Risk was basically all about
finding out ways to rip off ATM machines.
I've got over 20 frequency codes today.
What is that?
It's a spectrum analyzer.
It reads the electromagnetic environment and creates magnitude readings for the proper frequencies.
Oh. What are you doing with it in your car?
Well, it's just an experiment for now, but if we're lucky, we should be able to pick up, oh, $200 from each account.
You know, you can get into a lot of trouble fooling around with the banks.
Would you relax?
I'm relaxed. You're talking about ripping people off.
Look, it's a banking system. We aren't stealing from people.
And then, again in 1991, a young John Connor in Terminator 2
hooks up his little laptop into the card reader slot of an ATM.
Please insert your stolen card now.
He hits a couple buttons,
some Hollywood hacking appears on screen, you know, numbers flying down the screen,
changing really fast. Go baby, go baby, go baby. All right. PIN number. Eventually he's cracked the PIN. Withdrawal three zero zero. Bucks. Come on baby baby. Come on. Come on. Come on.
Yes.
Hey, it worked.
Easy money.
All right.
So if Hollywood is doing this in the 80s and 90s, I think I'm going to look into where
we are with ATM hacking today and do an episode on that.
Yeah, that sounds great.
All right.
This information has been great.
Thanks so much.
Yeah, no problem.
Thanks for reaching out.
All right.
See you later.
Hack the planet.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Delete Me. I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money. And our personal information is all over the place online. Phone numbers,
addresses, family members, where you work, what kind of car you drive. It's endless and it's not a fair fight. But I realized I don't need to be fighting this alone anymore. Now I use the help
of Delete.me. Delete.me is a subscription service that finds and removes personal information from
hundreds of data brokers' websites and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknet diaries and enter code darknet at checkout.
That's join delete me.com slash darknet diaries.
Use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response,
and active monitoring to help keep businesses secure. I know a few people who work over there,
and I can vouch they do very good work. If you want to improve the security of your organization,
give them a call. I'm sure they can help. But the founder of the company, John Strand,
is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud,
digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com to learn more
about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com. BlackHillsInfosec.com.
BlackHillsInfosec.com.
So ATMs are an obvious target for criminals.
It's just a hunk of metal holding a bunch of cash.
And there can be anywhere from $3,000
all the way up to like $250,000 in each ATM.
So getting into one of these could be a big win for someone.
At its core, an ATM is just a computer,
often a Windows computer,
with an input device like a touchscreen or buttons,
and then there's the cassettes that hold the cash.
The cassettes are the crown jewels of the ATM,
since they hold all the money.
So one tactic is to steal the cassettes.
Smash and grab is still a common ATM hacking technique.
This is as simple as smashing a window of a store, running in, grabbing the whole ATM, drag it outside, throw it
in your truck, and drive off. To defend against this, shop owners and banks have securely fastened
the ATM to the ground, often with huge bolts right into the concrete. But criminals will still smash
the window, throw a rope around the ATM, attach it to their truck, and pull it out with the truck to knock it loose,
and then grab the whole ATM and drive off.
But then there are ATMs built right into the walls of the bank,
where you can't knock it over or pull it loose.
And what some criminals do here is they'll run up to it,
create a hole in the ATM somehow, like jamming a crowbar right into it or under it,
and then they'll load up that hole with explosives and blow up the ATM itself. Usually the cash box that holds the money is knocked loose from the
explosion, and the thief can run off with just that box of money. But all these techniques are
messy and very destructive. There's even one video of a guy driving a forklift right through a
convenience store window, knocking over all the shelves and making a ton of damage just to get the ATM loose and out of there. It's shocking,
and there's just much more elegant ways of stealing money out of an ATM. A little over a decade ago,
a story came out that said a master admin password was configured for many ATMs. Some thieves got a
hold of this password and used it to access the ATM.
However, the admin access didn't let them dispense money,
so they couldn't just steal the money.
The hackers poked around at what they had access to.
Inside the ATM are a number of cassettes
with different denominations.
Maybe there are three cassettes
with $5 bills, $10 bills, and $20 bills.
With admin access,
you could assign which cassette was which denomination.
So the hackers told the ATMs that all the cassettes have just $1 bills in them.
So when they went to withdraw $20, they gave them 20 $20 bills. Their balance only went down by $20,
but they actually got $400. And these criminals did this a few times and got a whopping $1,540
from this attack. The admin password has since
been fixed and that attack is no longer valid. Around 2009, a security researcher named Barnaby
Jack was interested in seeing what kind of hacks he could do on ATMs. He bought a few and had them
delivered to his house. I remember when one of the ATM delivery guys came in and he wheeled the ATM
into my place and he just thought, why on earth do you need an ATM in your house for?
And I was feeling a bit cheeky that day, so I just looked at him and was like,
I just don't like the transaction fees, mate.
This is Barnaby Jack speaking at DEF CON 18, the largest hacker convention in the world.
Once he got the ATMs into his house, he took them apart and analyzed how they worked.
He started looking for vulnerabilities in the ATM. Once he got the ATMs into his house, he took them apart and analyzed how they worked. We started looking for vulnerabilities in the ATM he had. He found the ATM had two different keys.
One key opens the door to the cassettes, where the cash is. But these were high security keys,
and each ATM had a different key. But there was another key, which opened up the cabinet.
The cabinet holds the computer that controls the ATM. And he found a serious problem with this key.
So one key will open all the models from that same manufacturer, the cabinet.
Yeah, that's right.
One key opens the ATM up for all ATMs that that manufacturer makes.
This only gave you access to the motherboard in the ATM, not the cache.
But Barnaby Jack, being a security researcher,
he tried to figure out how he could attack the motherboard to dispense cache. And sure enough,
he found a way. He was able to load a custom firmware onto a USB flash drive. Now that he
has access to the motherboard, he can plug that USB drive into the motherboard, reboot the ATM,
and it would load his custom firmware. And this firmware pretty much let him do anything.
So I placed hooks at the card reader, the pinpad, and the parser that handles the remote configuration commands.
So with those hooks, we can add some fairly handy features, save the track data, capture the pinpad,
and a few custom remote commands.
Get the track data remotely, sure, remote jackpot, might as well.
With the USB drive plugged into the motherboard and new firmware installed,
he closed up the lid and the ATM looked and operated just like normal,
except he had programmed a hidden menu to let him control it however he wanted.
He could read and store any cards that were swiped on that machine and the pins that were entered.
But the most astonishing thing he could do was dispense all of the cash from all the cassettes,
which he called jackpotting.
And he demonstrated how he can do this live,
right there on the stage at DEF CON 18.
Okay, so it pops up my hidden menu there.
Well, let me dispense 50 notes from A, B, C, or D,
which are the four cassettes on the ATM.
So let's just try to dump 50 bills from the first cassette.
This is unbelievable.
And I was there for that,
and I'm still blown away by how crazy this was.
To see this live on stage,
it just blew my mind.
But physical attacks on ATMs might seem a little too risky.
I mean, you've got to actually go there
and lift the cover up to get into it. And there may be cameras watching you too. But ATMs are sometimes found in gas stations
or bars, and they're often tucked away, sometimes hidden, like by the bathrooms or a cigarette
machine. And we give people privacy when they're using the ATMs. So it's entirely possible to do
this in broad daylight and nobody would notice. But Barnaby wanted to take this a step further
and see if he could figure
out a way to gain remote access to an ATM over the network. So he plugged in the ATMs to his
home network and began trying to see what he could get into. Well, there was a remote login to the
ATM, but it had a username and password. But Barnaby found a vulnerability in the software
to let him bypass that authentication altogether, allowing him to get right into the ATM.
From there, he couldn't do much
other than check the system,
see how much cash was there,
and basic troubleshooting.
No way to actually dispense cash.
But Barnaby had already made a custom firmware
that could give him extra access.
So he was able to connect all these exploits together,
which allowed him to...
Upload a rootkit,
so that's not a bad feature.es authentication initiates the software upload which
lets me replace the firmware so awesome awesome it was Barnaby could now remote
control an ATM with his own custom firmware that allowed him to do
whatever he want such as dispensing cash out of an ATM on the other side of the world without even touching it.
Again, unbelievable. The research that Barnaby Jack did with ATMs was just amazing. And he didn't stop there. He had a passion for finding vulnerabilities in embedded devices. And
there are electronic embedded devices in so many products we interact with. Devices like a washing
machine, your thermostat, a refrigerator, dishwasher, your phone,
video games, printers, and medical devices.
After Barnaby demonstrated to the world
how you can hack into ATMs live on stage at DEF CON,
he turned to researching the electronics within medical devices.
He found that he could gain remote access to insulin pumps
that were actually strapped on to people and worn about.
On stage at the RSA convention in 2012, he demonstrated what he found.
From 100 meters away, I can scan for any insulin pumps in the vicinity.
It will return those insulin pump IDs,
and then I can have them dispense their entire 300 units of insulin,
which for a type 1 diabetic will easily prove fatal.
This guy really wasn't messing around.
I mean, first robbing banks, now killing people. a type 1 diabetic will easily prove fatal. This guy really wasn't messing around.
I mean, first robbing banks, now killing people.
The point he was trying to make is that medical device manufacturers really need to take security a lot more seriously than they already were.
I'm trying to go as public with this research as I can,
just to show how easily these pumps can actually be attacked
and hopefully change the mind of the FDA and of Medtronic
and of the public that maybe a recall could be in order.
Barnaby then began looking to see if he could remote control a pacemaker.
This is a device used to keep your heart beating regularly.
And sure enough, he figured out a way in.
See, Barnaby was an amazingly good security researcher,
and he had a keen ability to find weaknesses and security holes in so many systems.
And when he found a way to remote control a pacemaker implanted into a human, he took his findings on the road to a security
conference in Melbourne, Australia. And he demonstrated this hack live on stage to show
how someone could send a lethal shock to a human through hacking a pacemaker.
And this news of this vulnerability, again, was a big deal. Barnaby refined his demonstrations and was accepted to speak at Black Hat,
the security conference in Las Vegas,
to demonstrate this medical device hacking live on stage.
But he never did give that talk,
because he died a week before the conference.
His girlfriend found him lying on the floor in their San Francisco apartment.
The coroner examined his body and ruled that the cause of death was an overdose of drugs. his girlfriend found him lying on the floor in their San Francisco apartment.
The coroner examined his body and ruled that the cause of death was an overdose of drugs.
He was 35 years old.
Barnaby had a lot of talent and potential.
It opened her eyes to a lot of things.
Losing him was a tragedy.
And he will be missed immensely. All right, so if you could start out by telling me your name and what do you do?
My name is Joran van der Weel, and I'm a security researcher within Kaspersky Lab.
Kaspersky Lab is based in Moscow, Russia, and makes antivirus software, amongst many other
things. They need to keep their finger on the pulse of what the security threats are in the world
so they can develop ways to detect and defend against these threats.
Okay, so Jornt, what were you seeing after Barnaby Jack demonstrated how to hack into ATMs?
Yeah, so he introduced it and he showed that it was possible.
And what we saw after that was, you know, people started copying it.
Especially in Russia and the surrounding countries.
Surely, Barnaby Jack wasn't the first person to have figured out how to hack an ATM.
But he was the first to demonstrate it live on stage.
And after he did demonstrate it, banks and ATM vendors did improve the security of their machines.
But ATM hacking started gaining in popularity after the talk.
And there was an ATM hack in particular that Jornt will always remember.
Yeah, yeah.
So one of our colleagues, he got a call or an email from somebody that he knew.
It was an email and it was from an IT guy working at a bank in Ukraine.
And he told us that he had a problem and he didn't really want to disclose what it was.
But he said that, you know, you guys just have to come.
Now, Jornt and his team were like, well, going to Kiev is far and it's not easy to get to.
Just tell us what the problem is.
We've probably seen it before and we'll just tell you how to fix it.
But the bank was insistent on telling them they must fly to Ukraine to see the problem themselves.
So Jornt and his team hopped on a plane and flew to Kiev
to visit this bank. And they took him into a room which had all the surveillance footage for the
bank. So we went there and then he showed us video footage. Okay, so the scene in the video is this.
There's a bank with ATMs. Okay, but it's 3 a.m. So the bank is closed. And the ATMs are in this
little foyer lobby something of the bank. Like a portal kind of.
Yeah, but the doors are locked.
So you have to swipe your debit card on the door in order to get into that portal to use the ATMs.
But you can't get into the rest of the bank.
So Jornt watches this video footage.
And on the video, you see a guy walking towards the bank.
This guy is wearing like a big black hoodie.
He's got a long scarf, but he wraps it around his face so you can't see what he looks like.
And he's holding a big black duffel bag.
He opens up his jacket, takes out his debit card and swipes it on the doors, which lets him into the lobby where the ATMs are.
And as soon as he got in, the ATM started to blink.
And he walked towards the first ATM and then this whole pack of money came out. Literally, the moment he enters the lobby,
the ATM suddenly starts spitting out all kinds of cash in all of the cassettes.
He didn't even touch a single button on the ATM.
You know, and then he just, and the money just kept on coming out.
So he just kept on filling his sports bag.
And then he went to the next ATM, and to the next one, and to the next one.
There were four ATMs in this lobby, and all four of them are blinking wildly, and they're spewing out thousands of hryvnia to the next one. There were four ATMs in this lobby and all four of them are blinking wildly
and they're spewing out thousands of hryvnia,
the Ukrainian money.
And as fast as they're popping out of the ATM,
this guy is shoving them into his duffel bag.
The operation seemed very precise
and was done very quick.
And when all four ATMs were empty,
he just, you know, he left.
And without even touching the ATMs,
he was able to rob them.
The bank said there was around $250,000 in each of the ATMs he just stole from,
which meant he took about a million US dollars in just a few minutes.
Somehow magically emptying all the ATMs without even touching them.
This isn't a hack. This is a superpower of some kind.
Forget about the team at Kaspersky to solve this. You need
Batman or someone on this one.
Yeah, but come on. It's not something that is
Hollywood movie
magic. But seriously,
no matter how weird a hack may seem, there is
always an explanation for it.
So Jorenten's team began trying to think of
what this could be. So first
we thought that this was a modified
version of another malware that we
already knew about. It was called Tubekin. Yeah, Tubekin is pretty slick. It first requires hackers
to remotely access the ATM over the network. For your information, like an ATM is just a computer
running Windows. So it's possible to install malware on it. So once a hacker gets into the
ATM over the network, they'd plant this Tubekin malware on it. So once a hacker gets into the ATM over the network, they plant this tubekin malware on it.
This malware, it was active between 12 o'clock and 3 o'clock in the night.
And when you entered a special code.
This is a special code you just put right on the pin pad of the ATM.
Then you get access to the Trojans menu.
From here, you can see how many cassettes there are and how many bills are in each one.
And then there's a little special code at the bottom of the screen, which is called a challenge.
And then you get the challenge, you send it to your boss and he calculates response,
you enter the response. Whoever's at the ATM sends this code back to the hacker,
and then they generate another code so that you enter it back into the ATM.
And then you basically get into the Godmode menu
because you can choose from which cassettes you want the money. And then you literally get to say,
give me the money from cassette one and money just comes right out. It's a pretty slick attack
and it works really well when set up correctly. Back at the time, it was one of the first
ATM malware versions that was there, you know.
Now there are like dozens, like way more.
But back then it was one of the first.
And because of the modus operandi, like you enter in the middle of the night,
we thought that this was a modified version.
So we asked the bank for hard disks of the ATM so we could search for malware.
Jornt took these disks back to the lab and investigated them thoroughly.
We couldn't find anything.
The trail went cold. Jornt was stumped. He had absolutely no clue how this attack happened.
There was no sign of any malware or suspicious activity on the ATMs.
How could this be? Months go by. No progress.
Jornt just stopped investigating,
thinking it was just some really weird anomaly. Maybe magic? Who knows. But then, out of nowhere, we got a call from one of the account managers. But this wasn't an ordinary call. The account
manager was calling him at 3 a.m. And it was in the middle of the night, and the guy just said that we have to call this number.
And we were like, man, it's in the middle of the night. We're sleeping.
Jornt was like, can't you just tell me what this is for?
But the account manager was insistent that he just called this number.
So Jornt and a few of his colleagues got out of bed, splashed some water on their face to wake up a little, and called the number.
There was a guy that was completely, completely stressed out. He was an IT person from a large bank in Russia, and he was in a total
panic. Something big had happened to this bank, and he needed help immediately. So he just said,
get your ass over here. And we were like, okay, but where is here? The bank happened to be in the
same town as one of Jornt's colleagues. So he got dressed at 3 a.m. and went down to the bank.
And on the way there, they're thinking things like,
oh, this bank must have been robbed for like millions of dollars or something.
Maybe it was those ATM robbers since this call was at 3 a.m. too.
So the colleague arrived.
And when he was there, like I said, the guy was completely, completely stressed out.
And because it turned out that their domain controller, which is the most important server within the network, was actually sending data to China.
Well, this isn't exactly a bank robbery.
It's still quite a big problem.
The domain controller is the heart of the network.
It handles like all the authentication, all the connectivity between Windows computers.
And if you have admin access to the domain controller, you probably can get admin access
to pretty much any other Windows computer in the entire network, including any money processing
systems. So when the bank was saying their domain controller was sending data to China,
this meant one thing. Yeah, like the domain controller has been breached.
As in, hackers have gained access to the heart of this bank's network.
There is no reason for a domain controller to contact a surfer in the middle of the night in
China. So Yoart's teammate grabbed a chair and sat down at a terminal to look at the domain
controller. When such a thing happened,
what you try to do is you try to find the malware. They used a tool called Process Explorer to examine what's running. They looked at system logs and examined the memory. And it didn't
took a long time to find that process. They found what program was sending the data to China and
began analyzing it. And they quickly make memory dumps and just do some strings on it,
you know, to find readable characters.
Well, it's not possible to see what's inside this program
or what it's doing.
Sometimes running strings on it can get you a clue.
The strings command will analyze the file
to see if there's any human-readable data
in the bytes of the program.
And this can sometimes reveal clues
such as who wrote the program
or what language it was written in or other tiny clues like this.
Jornt ran the strings command and found something.
And there we saw that there was written VNC.
VNC is a way to remotely control a computer
as if you're sitting right in front of that system.
Think about the situation, you know.
You are at a large bank in the middle of the night in Russia.
The domain controller is sending data to China.
And you see that there is a DLL loaded.
Which has an active remote desktop connection on it.
Now, could it be that those guys that breached the server
are watching what we were doing?
This is certainly a chilling moment to think that not only are hackers in the bank,
but they're watching your every move on this computer.
Jornt and his team wanted to find out if they were being watched.
And so they came up with a plan.
So we opened up a Word document and, you know, we wrote like,
which was Russian for hello.
Wait, why did you say hello in Russian?
If you don't know Russian, when you're taking a Russian bank, things get complicated. So they sit there with the
Word document opened with hello written in Russian on it and wait. If a hacker was in
the system right now, they'd see this and they know that message is for them. A few minutes go
by and the cursor starts to move and they start to type and they say hello in Russian. And then he started
writing more. Oh, you will not catch us. And then I was like, okay, we will catch you. No,
you will not catch us. And this 4am chat goes back and forth for a while between the hackers
and the investigators. And eventually that chat ended. And Jorn's team was able to find the malware
on this computer and wipe it off the domain controller, which disconnected the hacker from the network. Removing this malware wasn't that hard, actually,
so the next step was to figure out if any other computer in the whole network had it and remove it.
So he wrote a very simple script, and it was ran on all the computers within the bank,
and a little bit later, the malware was removed. So far, so good.
This incident gave Jornt and his teammates a lot of clues as to
what was going on here. And they were actually able to connect the dots back to those ATMs that
got hacked in Ukraine. And after the break, we'll hear how Yornt unravels the whole thing
and figures it all out. Stay with us. This episode is sponsored by SpyCloud. With major
breaches and cyber attacks making the news daily, taking action on your company's exposure
is more important than ever.
I recently visited spycloud.com
to check my darknet exposure
and was surprised by just how much
stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate
is critical for protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime with a mission to end criminals' ability to profit
from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about
your company's exposure from third-party breaches, successful phishes, or info-stealer
infections. in the dark about your company's exposure from third-party breaches, successful fishes, or infostealer infections, get your free Darknet Exposure Report at spycloud.com
slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
Right, so go on. What happens next?
Eugene Kasperowski, the owner of the company, he was at the Interpol conference and he was telling this story.
And then Europol heard about this and they thought, oh, you know, these guys might be coming to Europe.
We have to inform our banks.
And Europol is headed in The Hague.
So one of my colleagues from Russia flew over to The Hague to present about this case. So a Kaspersky security researcher presented their findings to this Europool conference in The Hague in the Netherlands.
And this started getting the case a lot more attention.
First, a big bank heard this talk and started a panic saying, we have the same indicators of compromise on our servers.
But this turned out to be a false positive.
But then the Dutch police became interested and they wanted to help. Around that time, we also decided to work on this case together with the Dutch police
because they wanted to do a case with us and they were interested.
So by this time, a few other banks are now calling up Jornt and his team
and having them investigate the similar issues.
Yeah, we found a new command and control server and that one was located in the Netherlands.
So the malware was being controlled remotely by a command and control server, and that one was located in the Netherlands. So the malware was being controlled remotely by a command and control server.
And this server was located in Holland.
And this was a lucky break, because the Dutch police were already aware of this and wanted to help.
So it was relatively easy for the police to seize it.
Once the Dutch police seized the server, they gave it to Jorn to analyze.
And they gave us the source code of the botnet panel.
We analyzed it, and we saw that they made a small implementation mistake.
And that meant that if we sent a very specific request to a web server, you would get a very specific error.
Basically, if you did an HTTP request to this command and control server with a slash zero at the end, the server will return a very specific error. And this meant Yort could scan the entire internet
quite quickly and easily,
looking for every single command and control server
being ran by this hacking team.
So we just scanned the whole internet
and we just did that whole request
on all the web servers, on all the internet,
trying to see if one would come up
with such a unique error response.
And that way we were able to find other command and control servers.
Now things started moving a lot faster for Jorn.
Him and his team have responded to a lot of banks with the same problem.
And they have a copy of the malware that was on the bank
and a copy of the command and control servers,
which was orchestrating the whole thing.
So at this point, they decided to give this malware a name.
And they called it Carbonac.
It comes from two things.
So it was based on malware called Carburp.
And then there was a configuration file called Anunak.
So we kind of meshed those two words together.
So that's why we named it Carbonac.
At this point, Jor and his team have completely unraveled how this entire hack works. And it all starts with a random employee, and in this case,
an event coordinator or manager. So they send a spear phishing email to an employee at the bank,
for example, the event manager. At that time, it was a Word document. And that Word document
contained an exploit for an already patched vulnerability, by the way.
Now, as soon as the event manager opens up the Word document,
the malware is downloaded and installed on the computer
and the attackers have their first point of entry within the bank.
So here's what went down.
An email was sent to an event coordinator of a bank,
which said something like,
we're organizing a very important event
and we think your company would be interested in coming. Please see the attached doc for details. And of
course, the attached Word document contained a virus in it. The human seems to be the weakest
link in the network still. Basically, inside this Word document was a set of instructions that the
computer should execute. And this Word doc was just downloading the Carbonhack malware. And that one actually contains like the backdoor so the attackers could connect to that computer.
Now that the hackers had remote control of this person's computer in the bank,
the next goal would be to elevate their privileges and get access to the domain controller.
The hackers first installed a keylogger on this person's computer to record every keystroke that person makes.
Now, the first thing they tried to do is try to get the administrator password. And one way to do that
is, you know, install some software that makes the machine really slow. And then the person will
call IT. IT will come. They will enter the administrator password. They will see the
software that's slowing down the PC. They remove the and you know the guys have to administer passwords because they installed a keylogger
i'm not gonna lie i think this is a genius move to put a keylogger on a computer and then make
the computer act badly just to get an admin to come log in and take a look and when they do you
steal their password that's amazing so now that they have the admin password to one of the computers,
they'll try to use that password on another server. Yeah, you go to the domain controller,
of course, you know, and the password is the same. You can log in and there you can find a computer
that is of interest for you. A computer of interest in a bank is a computer that controls
the money transfers or controls the ATMs. But this hacking group was very tactical once they arrived on a computer that handled bank
transfers. And they also figured out which employees were the ones that were making
like manual money transfers on these systems. So they'd infect those employees' computers too.
The interesting thing about this gang is malware-wise, they were not like the most advanced or it was not apt they didn't use
like like espionage they didn't use any zero days and that kind of stuff but they were really good
at finding their way within the bank and they were really um smart and clever and um
give me some ideas what they were doing.
Like one of them was to just install video recording software on the machine of one of the employees.
And the video recording software wasn't really like really bad quality.
It wasn't black and white and only the active screen was recorded.
But by that way, not much data was sent to the command and control server.
So you wouldn't see like gigabytes going to one IP address.
And the good thing is they just by watching how one guy was doing his day to day job,
they learned how all the IT systems within the bank works.
Well, that is clever.
By recording the user screen, they could see exactly how
to use that money transfer system.
And by using a keylogger, they could get the passwords
on those banking servers too. That's the smart
thing about them. They just found their
way quite quickly to
extract money from the bank.
Alright, so here's the situation now. Russian hackers
or someone fluent in Russian
found their way into a Russian bank's network,
identified which employees have access
to manually transfer money,
and have all the logins to get into those money transfer servers,
and they've been watching how people do it for days.
They now have complete access
to make any money transfer they want.
So now it's time to cash out.
I did a couple of ways.
One way was to enter data directly into the Swift system and transfer money overseas.
Swift is a network that many banks of the world use to transfer money between banks internationally.
It has to be a very secure network because a bank can literally lose millions of dollars in an instant
if a hacker were to make an illegal SWIFT transfer to another bank account. One other way was to control the ATMs remotely, like we saw with the first case.
Basically, these hackers found a way that the bank could remotely control the ATMs,
and it had a feature to dispense all the money.
So the hackers simply got into the ATM admin server,
waited for the go-ahead from the guy at the bank,
and then they just started dumping all the bills out.
Oh, and then there was started dumping all the bills out.
Oh, and then there was a third way that the hackers were transferring money.
And that's actually quite a funny story.
They found a system to create accounts.
So they created all these accounts for their money meals. All these methods actually required two people.
First, there was a hacker that needed to get into the computers
and transfer all the money and stuff. but then there's a money mule
who's simply a person who's paid to go grab the money and and send it back to
the boss, but they get to keep a small cut of it. In this third method of
stealing money they used a bunch of money mules. So they hired a bunch of
them and taught them how to go get the cash. And then they flew in all the mules.
They created the debit cards for all the mules. The hackers created bank accounts for each one of these mules and gave them a debit card.
But the bank account had a very specific amount of money.
Like $3.33 or something.
A really, really crazy low amount that nobody would typically have.
Then, once all the mules had accounts set up at this specific bank, the hacker would then go to work.
Now, instead of looking up all the mules' account numbers and changing their balances one by one,
the hacker would just do a database update on the entire database, updating all accounts that had $3.33 in them.
Updates, table, balance, to $1,000,000, where balance is $3.33.
Suddenly, all the mules had $1 million in their account, and they could go withdraw that cash.
And a lot of mules successfully did withdraw millions of dollars this way,
which resulted in banks losing a ton of money.
Now, the funny thing is, because of that query, not just the mules had suddenly one million,
but everybody who at that point in time happens to have the same amount of money was suddenly a millionaire.
Oh, that's crazy.
So now that Jornt and Kaspersky Labs have completely understood how this operation works,
they wanted to disrupt the whole thing.
So they scanned the whole internet looking for those command and control servers. And when they found them, they gave it to the local police
to take down. By taking down these servers, it disrupted the whole operation. But the criminals
were persistent. After all, these hacks had already brought in millions of dollars. They just kept
getting their command and control servers seized by the police. So they changed their modus operandi.
Modus operandi. Is that right? They changed their tactics.
Instead of using the Carbonac malware, which had antivirus signatures that were already well known,
they started using off-the-shelf tools such as Metasploit and Cobalt Strike. And with this slight
change of tactics, they were able to fly under the radar once again and strike at many more banks.
Kaspersky claims this group
successfully attacked 13 times and stole 25 million US dollars. The Europol was also tracking
this group, and they had completely different numbers. Europol claims this group hacked into
over 100 banks and stole money, and they stole a whopping 1.2 billion US dollars.
This obviously got the attention of a lot of police. And while
most bank robberies occurred in Ukraine and Russia, it did start to branch out to various
other countries like Spain and China. A major investigation was underway. Not just Europol,
though. The Spanish government was investigating, the Moldavian government, Romanian, Belarusian,
the Taiwanese government, and even the FBI had cases on this group and were
sharing information. What we saw is that a while ago, and I don't know, I remember exactly when,
one of the suspected ringleaders got arrested in Spain. It was a Russian guy living in
Spain or a Ukrainian guy. It was actually March 2018. A guy named Dennis K was arrested in Spain.
It was from Ukraine and he was working with three other Ukrainian and Russian nationals.
Together they worked with the Moldovian mafia to hire the money mules
and fly them to the banks to pick up the money.
And once they had the money, they would quickly switch it to bitcoins
where they could spend it anonymously.
However, not everyone takes bitcoin.
When Dennis Kay tried to buy something big like a car or house, he had
to pay taxes on it. And some bad accounting tipped off the police to follow the money,
which led them to Dennis and they arrested him. When they arrested Dennis in Spain,
they found in his house computers, jewelry valued at over 600,000 US dollars and two luxury vehicles.
And they also found that Dennis owned two houses that were worth
over a million dollars each. The police thinks this gang had acquired over 15,000 bitcoins,
which is about 60 million US dollars today. But even though this arrest occurred, the Carbon
Act malware continued to be used by hackers around the world. And it may have been traded on a dark
net or some hacker forum. And some chatter on the hacker forum seemed to suggest this arrest
didn't even slow down these attacks at all. Another prominent hacker group called Fin7 used this
Carbonac malware to target American companies. That story actually doesn't have any ATM hacking
in it, so we'll skip it. But it is amazing, so I'll have to cover it on another episode.
But Carbonac will always be remembered by Yornt, because...
This was the first large attacks on banks
and organized
attacks on banks because first
the criminal groups
attacked consumers with
banking malware and later they
started to attack banks basically
with banking malware and robbing banks
because it was more profitable
and easier in the end.
And these attacks on banks, they are still happening.
What can banks do about this now?
So one of the obvious things is update your software.
You know, this group didn't use any zero days.
So if they just would have updated their Microsoft Office,
this attack wouldn't have taken place. I looked this up. These hacks were going around in 2015,
but the hackers used an exploit that Windows had fixed since 2012. So yeah, if the bank simply kept
their Microsoft Word updated on all the employees' computers, this would have gone nowhere. This is
why I'm always telling you to update your software. And then if you have antivirus installed, make sure that you also
have one that looks at the behavior of computers, of your system, because that one is also able to
catch unknown malware quite easily. There really isn't just one way to stay safe from this attack.
You really need good all-around security hygiene practice for your users and your servers.
It's also good to
have proper monitoring in place so that you can quickly detect when something like this is going
on. So Carbonac is just one way hackers have been getting into ATMs, but there are many more ways
they're doing it today, and it's becoming more popular. Another way that ATMs are being hacked
is if you can get access to the Ethernet cable that connects the ATM online, you can plug it
into a fake processing center that you
set up, tricking the ATM to just basically authorize any withdrawal. Oh, and some ATMs have
like a full QWERTY keyboard built into it. Some hackers found that you can like hit shift five
times quickly, which gives you the sticky keys in Windows, and then from there you can access like
the Windows OS. And there's other keyboard commands you could do to skip out of the ATM app, since it
really is just a Windows computer. And there are a whole bunch of other methods used to defeat cash machines
today. ATM hacking is going on all over the world, and the manufacturers and banks really need to pay
extra attention to these kinds of attacks. Because ATM hacking will continue until security improves.
You've been listening to Darknet Diaries.
For show notes and links, check out darknetdiaries.com.
Big thanks goes to Jornt van der Veel for telling us this story.
If this show brings you value and you enjoy it,
please consider supporting it through Patreon.
The show is made by me, the cyberdelic warlord, Jack Recider.
The theme music is by the funkadelic Breakmaster Cylinder. Join us again in two weeks where I'll bring you more true stories
from the dark side of the internet. Peace.