[ad_1]
Hackers stole nearly a million dollars from a Russian bank earlier this month after hacking its network via an obsolete router.
PIR Bank was looted by the infamous MoneyTaker hacking group. Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts in major Russian banks and cashed. Cybercrooks tried to ensure persistence in the bank's network through "reverse shell" programs in anticipation of subsequent attacks, but these hacking tools were detected and cleared before others misdeeds are committed
. their correspondent account at the Bank of Russia. Group IB describes this as a "conservative estimate".
After studying the infected desktops and servers of the bank, the IB Group's forensic specialists collected digital evidence involving MoneyTaker in the robbery. The digital footprints of the PIR Bank raid matched the tools and techniques of the previous attacks related to MoneyTaker
Group-IB confirmed that the attack of PIR Bank began late May 2018 with the pbadage of a router used by one of the regional branches
The router had tunnels that allowed attackers to directly access the local network of the bank. This approach has already been used by the group at least three times by attacking banks with regional networks, said Group-IB
when criminals hacked into the bank's main network they managed to access the AWS CBR (Automated Work Station Customer from the Russian Central Bank), generate payment orders and send money in multiple installments to mullet accounts prepared in advance. PowerShell scripts have been used to automate some steps of the hacking process.
"On the evening of July 4, when bank employees discovered unauthorized transactions with large sums of money, they asked the regulator to block the keys and stop financial transfers on time," the group reported. -IB. "Most of the stolen money was transferred to the cards of the 17 largest banks the same day and immediately cashed by money mules involved in the last stage of the withdrawal of money from the ATMs. "
Although hackers tried to erase their tracks, enough digital evidence was left for the IB-experts to point out the likely suspects. Recommendations for the prevention of similar attacks have been distributed to customers and partners of the IB Group, including the Central Bank of Russia
The Russian hacker clan is exposed: They s'. call MoneyTaker, and they will take
READ MORE
Cyber criminals are actively targeting Russian banks and the PIR Bank case is far from isolated, said the IB group
"This n & rsquo; Is not the first successful attack on a Russian bank early in 2018, "said Valeriy Baulin, head of Group-IB's Digital Forensic Laboratory." We are experiencing at least three similar incidents, but we can not disclose any details before that our investigations are completed. "
MoneyTaker's first attack was recorded in the spring of 2016, when they stole money from an American bank card processing system (STAR from FirstData) . The group then remained calm for several months before resurfacing in a series of attacks aimed primarily at Russian, American and (sometimes) British banking organizations.
According to Group-IB, MoneyTaker had led until last December 16 attacks in the United States, five attacks against Russian banks and an attack on a banking software company in the United Kingdom. The average damage caused by an attack in the United States amounted to $ 500,000. In Russia, the average amount withdrawn is $ 1.2 million per incident. In addition to money, cybercriminals usually steal documents on the interbank payment systems needed to prepare for subsequent attacks. ®
Bootnote
MoneyTaker is not the only group of cybercriminals targeting banks in Russia. Two others (Cobalt and Silence) have also been active this year, according to Group-IB.
Sponsored by:
Minds Mastering Machines – Call for Papers Now Open
Source link
