Cyber thieves employ new tricks to rob banks

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 10 Dec 2018
DarkVishnya targets banks.
DarkVishnya targets banks.

Over the past year and a half, Kaspersky Lab specialists were invited to research a series of cyber thefts, each with a common thread - an unknown device directly connected to the organisation's local network. The device had been smuggled into the building, and was controlled by the attackers.

In some cases, the target was the central office, in others, a regional office, and sometimes it was even located in another country. At least eight banks have fallen victim to the attacks, collectively dubbed 'DarkVishnya', and tens of millions of dollars in losses have been incurred.

While the attacks so far have been limited to Eastern Europe, Sergey Golovanov, security expert at Kaspersky Lab, says there is a chance of similar attacks in other countries.

"DarkVishnya is a series of attacks on financial institutions, and what they all have in common is the use of a physical device that is connected to the local network and later scanned in order to access resources. These cases are rare, yet similar attacks with no visible connection to DarkVishnya incidents have previously been seen in other regions, including Latin America."

How it works

Golovanov says the actors used three types of devices: a laptop, a Raspberry Pi (a single-board computer the size of a credit card) or a Bash Bunny (a specially designed tool for automating and conducting USB attacks), equipped with a GPRS, 3G or LTE modem that allowed the attackers to remotely penetrate the corporate network of the financial organisation.

Once the connection was established, the attackers attempted to gain access to the Web servers to steal the data they needed to run remote desktop protocol on a selected machine and then seize funds or data. This fileless method of attack included the use of Impacket, winexesvc.exe, or psexec.exe remote execution toolkits. In the final stage, the criminals employed remote control software to maintain access to the infected computer.

Golovanov says these attacks are sophisticated and complex in terms of detection. "The entry point to the corporate network remained unknown for a long time, since it could be located in any office in any region. These unknown devices, smuggled in and hidden by intruders, could not be found remotely. Additionally, the threat actor used legitimate utilities, which complicated the incident response even more.

"We can't tell who is behind the attack," he adds. "Judging from the fact that in each case a physical device was brought inside a building and connected to the equipment, we can suggest that it involved a visitor to each financial institution. Local security services should figure out the identity of this person or persons. As a cyber security provider, our job was done once we had made sure that the institutions were protected and the threats eliminated."