From phish to network compromise in two hours: How Carbanak operates

The past few years have seen an increase in the number of attacks against financial organizations by sophisticated cybercriminal groups that use manual hacking and stealthy techniques to remain hidden. Now, researchers from Bitdefender have released a report on an intrusion they investigated at an unnamed bank that documents in detail how these attackers operate and shows how fast they can gain control over a network.

The breach was perpetrated by Carbanak, an umbrella group for several cybercriminal gangs that have stolen hundreds of millions of dollars from banks and other organizations worldwide. Carbanak’s divisions are known by various names including CobaltGoblin, EmpireMonkey and FIN7, a group that specializes in targeting point-of-sale (PoS) systems in the retail and hospitality sectors.

The suspected leader of Carbanak was arrested in March 2018 in Spain, but Carbanak’s activities continued. Between March and May 2018, Bitdefender detected several phishing campaigns attributed to Carbanak. Those attacks impersonated IBM; Spamhaus, an anti-spam organization; VeriFon, a PoS terminal manufacturer; the international SWIFT payment system; a Swedish company; a security vendor; and the European Central Bank.

One of those campaigns distributed malicious documents that contained exploits for three known remote code execution vulnerabilities in Microsoft Office. Their goal was to deploy an implant from the Cobalt Strike penetration testing framework and download additional payloads and tools.

Two hours to network access

According to Bitdefender’s forensics investigation, two employees of the compromised bank opened malicious documents from the Carbanak campaign on the same day. Two hours later attackers had already managed to obtain administrative credentials for the domain controller, giving them unrestricted access to multiple systems from the bank’s network.


Article by channel:

Read more articles tagged: