FINANCIAL SECTOR CYBER ATTACKSMALWARE TYPES & REMEDIATION BEST PRACTICES

Prepared by: Elias DiabPresident and CEO, Infotechglobe Cyber Security Solutions

Agenda

• Introduction

• Cyber Attack Types

• Malware Types and Characteristics

• Malware Remediation and Risk Reduction Measures

• Case Study: CARBANAK Trojan APT

Introduction

• The improvement of online banking system, and its increased use by consumers worldwide has made this service a privileged target for cyber criminals.

• Security breaches of key financial institutions can pose a substantial danger to market confidence and the nation’s financial stability overall.

• Data privacy and protection breaches (customer records, or confidential documents), impose hefty penalties.

• Cyber attacks have far-reaching consequences - Financial, Reputational, Regulatory, and Legal.

• Cyber criminals motivation - Undermining financial institutions reputation and capability to conduct business, while achieving huge financial profits.

Cyber Attack Types

• Untargeted Attacks: Criminals do not focus on a particular victim but target as many devices, users or services as possible.

Phishing Ransomware

ScanningDrive By

Download

Cyber Attack Types (Continued)

• Targeted Attacks: Criminals specifically tailor the attack to the targeted financial institution.

Spear PhishingDoS/DDoS

Water Holing

• Vawtrak (Neverquest or Snifula)

This banking Trojan spreads itself via social media, email and file transfer protocols. Being able to hide evidence of the fraud by changing (on the fly) the balance shown to the victim makes it unique. It is based on MITB attack.

• Zeus/Zbot

Uses a technique called “Man-in-the-Browser” to exploit vulnerabilities in browsers that covertly modify web transactions. From the victim’s PC, Zeus automatically connects to the attacker’s C&C and starts stealing the user’s login credentials, and subsequently amounts of money from the user’s account.

• CRYPTOLOCKER / CRYTOWALL

It’s a ransomware Trojan that encrypts personal and system files. It spreads in many ways, mainly via phishing emails that contain malicious attachments or links, or via drive-by download sites.

• Carbanak

Victims infected via spear phishing technique. Once infected, attackers jump into the internal network and track down administrators’ computers for video surveillance. Screens of staff servicing the cash transfer systems get recorded, so fraudsters learn every detail of the bank clerks’ work, and allows them to mimic staff activity in order to transfer money and cash out.

Malware Types and Characteristics

• Build and utilize an effective risk management program and framework

• Identify vulnerabilities and regularly patch your systems and applications

• Adopt effective SOC and gradually evolve it into a security intelligence center

• Establish a cyber incident management and response function

• Create a cyber security awareness training program

• Use a defense-in-depth approach - No one single technology will stop APT

• Regular review and updates of security policies and procedures

• Apply big data analytics and capabilities in discovering APT attacks

• Establish an internal forensics function as part of your SOC solution

Malware Remediation and Risk Reduction Measures

Spear Phishing Emails with MS Word (.doc) and Control Panel Applet (.CPL) files attached. The following is an example of a Carbanak spear phishing email:

Email attachments exploited vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158=Buffer Overflow, and CVE-2013-3906=Remote Code Execution for Microsoft Graphics Component) and MS Word RTF Remote Code (CVE-2014-1761).

Manual reconnaissance of victims (control of video capabilities established).

Long term observation and reconnaissance conducted

Remote Admin (Access) Tool installed and communication established with C&C

Case Study – CARBANAK Trojan

Attackers observed the protocols and daily operational tempo of their targets

Video Surveillance of main banks employees and system/security admins were recorded and shared with C&C. Exploitation methodologies and mechanisms developed and tailored to each victim

Attackers impersonated legitimate local users activities and actions

Money transfer starts to take place (e-Payment systems, ATMs, SWIFT, Online Banking, etc.). Total loss estimated is around $1 Billion – From around 100 Financial institutions worldwide.

Stolen funds transferred out of affected countries to various bank accounts and money mule services in US and China.

...New variant of CARBANAK spotted recently (September 2015) – Are you ready for it (and for other types as well)??!

Case Study – CARBANAK Trojan (Continued)

Case Study – CARBANAK Trojan (Continued)

Questions?