Recently, there has been much talk in the business and IT media on the Carbanak cyber-security attack that targeted up to 100 banks and financial institutions in almost 30 countries worldwide. In cyber-security circles, this attack, which went on for two years, is (almost) old news.
If you are not aware of Carbanak, here’s a brief background:
A group of cyber-criminals used social engineering to install remote access toolkits (RATs) to steal more than US$1 billion from banks and other financial institutions. Banks in Russia, USA, Germany, China, and Ukraine were the most heavily targeted.
There is some indication that the operation, called Carbanak, is expanding to new locations, with new infections reported in Malaysia, Nepal, Kuwait and several African countries. Australia was also included in the original attack.
Early reports seem to indicate social engineering played a big role in obtaining sensitive information and allowing attackers to gain initial access to systems. According to details posted by Kaspersky, attackers used spear-phishing emails, luring bank employees to open malicious attachments which then infected their machines with a malware piece based on Carberp, a popular and well spread backdoor virus. Attackers then resorted to “land and expand” methods to traverse the banks’ intranet (information gathering techniques from key loggers, screen shots, and other tools to map out critical systems), and finally used stolen credentials to log onto systems to transfer money.
So, if Carbanak is two years old, why has it caused a sensation now? Well, the combination of the extent of the damage, the simplicity with which it spread and the organisations it impacted, namely financial institutions, make it somewhat alarming.
The ingenious thing about the attack is that it used the organisations’ own systems to penetrate it. The way it could achieve this is predominantly due to human error – either antivirus programs weren’t updated and/or staff weren’t aware of what to look for. Regardless of where the failure was, executives at the C- and board levels need to continually discuss cyber-security and ways of protecting their organisation’s networks.
Details around the attack suggest attackers initially compromised low value systems, and then used other attack techniques to pivot and compromise higher value targets, deeper in the bank’s networks. This method is often referred to as lateral movement in an advanced threat protection (ATP) context.
Generally, in addition to consistent access policies, network segmentation techniques and isolating critical systems help prevent or mitigate lateral movement. Firewalls and switch administration tools can be key components in network segmentation. Endpoint security solutions such as sandboxing technology can provide further protection and offer greater visibility to organisations under attack.
The FortiGuard team predicts this trend will continue in 2015 as hackers become more sophisticated and find new loopholes for infiltrating retail and financial systems. Organisations are at great risk and it is imperative they choose not just a security solution, but a proactive and intelligent solution, to protect them from the broad breadth and depth of growing attacks that firewall solutions alone will not stop.