22
Dec 14

Gang Hacked ATMs from Inside Banks

An organized gang of hackers from Russia and Ukraine has broken into internal networks at dozens of financial institutions and installed malicious software that allowed the gang to drain bank ATMs of cash. While none of the victim institutions were in the United States or Western Europe, experts say the stealthy methods used by the attackers in these heists would likely work across a broad range of western banks.

robotrobkbMost cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards. But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.

A number of the gang’s members are believed to be tied to a group of Eastern European hackers accused of stealing more than USD $2 million from Russian banks using a powerful, custom-made banking trojan known as Carberp. Eight men in Moscow were arrested in 2012 and accused of building and using Carberp, but sources say the core members of the gang were out of jail within hours after their arrest and have been busy rebuilding their crime machine ever since.

According to report released today by Fox-IT and Group-IB, security firms based in The Netherlands and Russia, respectively, the Carberp guys have since changed their tactics: Instead of stealing from thousands of bank account holders, this gang has decided to focus on siphoning funds right out of banks’ coffers. So far, the security firms report, the gang has stolen more than $15 million from Eastern European banks.

To gain a foothold inside financial institutions, this crime group — dubbed the “Anunak group” — sent bank employees targeted, malware-laced emails made to look like the missives were sent by Russian banking regulators. The phishing emails contained malicious software designed to exploit recently-patched security holes in Microsoft Office products.

Incredibly, the group also reportedly bought access to Windows PCs at targeted banks that were already compromised by opportunistic malware spread by other cyber criminals. Indeed, Fox-IT and Group-IB report that the Anunak gang routinely purchased installations of their banking malware from other cybercriminals who operated massive botnets (collections of hacked PCs).

Once inside a financial institution, the criminals typically abused that access to launch even more convincing spear-phishing attacks against other banks. They also gained access to isolated bank network segments that handled ATM transactions, downloading malicious programs made to work specifically with Wincor ATMs. The hackers used that malware — along with a modified legitimate program for managing ATM cash trays — to change the denomination settings for bank notes in 52 different ATMs.

As a result, they were able to make it so that when co-conspirators went to affected ATMs to withdraw 10 bills totaling 100 Russian rubles, they were instead issued 10 bank notes with the denomination of 5,000 rubles, the report notes.

The Anunak gang reportedly modified this legitimate program for managing bill denominations in ATMs.

The Anunak gang reportedly modified this legitimate program for managing bill denominations in ATMs.

It was bad enough that this group is believed to have hacked into more than 50 Russian banks, but nasty messages encoded into the malware tools employed by the thieves suggest they hold utter contempt for their targets. One malware component the group used to infect targeted systems carried inside of itself the text string “LOL BANK FUCKIUNG”. Another strain of malware deployed by this group’s targeted email campaigns and used to build their own botnet of more than a quarter-million PCs was encrypted with a key that is the MD5 hash of the string “go fuck yourself.”

While they appear to have developed a penchant for stealing directly from banks, these crooks aren’t above going after easy money: Sources tell KrebsOnSecurity that this group of hackers is thought to be the same criminal gang responsible for several credit and debit card breaches at major retailers across the United States, including women’s clothier Bebe Stores Inc., western wear store Sheplers, and office supply store Staples Inc.

A separate source previously told this author that there was a connection between the point-of-sale malware used in the breach at Michaels and the Staples incident, which means this group may also have been involved in the Michaels breach. In any case, Group-IB and Fox-IT note that the Anunak gang has hit a total of 16 retailers so far.

The attacks from Anunak showcase once again how important it is for organizations to refocus more resources away from preventing intrusions toward detecting intrusions as quickly as possible and stopping the bleeding. According to the report, the average time from the moment this group breaks into bank internal networks and the successful theft of cash is a whopping 42 days.

The full report on the Anunak group is available here (PDF).

Tags: , , , , , , , ,

56 comments

  1. Maybe this will convince the local authorities in Russia that cyber crime is something they need to crack down on?

    • I don’t think the issue is simply convincing officials in Russia that this is a problem. Russia has real problems with corruption with many bad actors simply paying protection money to law enforcement and legislators. I can’t help but wonder if the stakes are even higher with the recent sanctions and the oil war OPEC has launched targeting outside nations such as Russia and Venezuela.

      • I’ve heard Secret Service agents brief Congress about arrests taking years because the perpetrators were located in countries where the local authorities would not arrest them for cyber fraud against US victims. The local authorities apparently view it as helping their balance of payments. Arrests were finally made when the perps traveled outside of their home countries and the local authorities in their destinations were more cooperative. Seemed it was systemic not isolated or local corruption. But hey what do I know? I’m only repeating what I heard from the folks who work with international law enforcement on these issues.

        • Read through this blog you will see numerous cases whee this has happened.

          If a country does not get on with the US politically it is hardly going to hand over its citizens regardless of the crime.

          • It’s not necessarily a US thing per-se. Russian authorities have a long history of not arresting criminals unless they perpetrate crimes against Russian citizens. They have attacked citizens in foreign countries that have maintained good ties with Russia and still failed to take action.

            Except now, as with this case, even when they target Russian citizens and organizations they simply bribe their way out of not only jail but also the charge itself. This is a sad and depressing development, but certainly not unexpected… Putin made a good show of rounding up corrupt politicians and officials when he rose to power, but he never actually stopped the corruption… he just got rid of everyone who didn’t have him and his associates at the top of the pyramid.

            I once heard a Russian analyst, living in London, give the most exasperated interview I’ve ever heard in the wake of the Crimea invasion. As he explained it, Putin is actually one of the weakest rulers in the civilized world. He can only maintain his position so long as he lets his associates do whatever they want. If he actually took a stand against them he would be removed from office at the earliest opportunity. I don’t particularly subscribe to his point of view, but he was pretty adamant…

            • I see nothing unusual in this, USA do the same: have you ever seen a USA citizen committing a crime outside USA being prosecuted or any extradiction request accepted?

    • That’ll only happen if they steal from Der Fuhrer Putin.

  2. This is all very interesting but ultimately only serves to prove just how pointless a “Microsoft update” actually is.

    They “bought” access!
    Don’t open email from unknown sources!
    Exploited already patched vulnerabilities!

    • Odd that the internal mailscanner software did not pick this up. I would assume that attachments sent to bank employees get a bit more thorough scan than of us regular users.

      However they were able to buy access to already infected computers, which means their problem is not limited to the missing money but also to their system administration.

      • Anti-malware is generally not going to detect stuff written by a gang like this, at least not in the first 24 hours or so. But these guys are pretty good at writing their own custom cryptors, and being careful to update existing malware installations to stay a step ahead of antivirus products.

        • I reckon they have a lot of expertise, however if they do send (working) programs to employees wouldn’t it make more sense to disable receiving them completely? I know if I sent executable programs to people on gMail or Hotmail the mail bounces since such attachments are not allowed…

          • It isn’t just executables however. Windows tries to be ever so helpful and figure out what to do with an attachment to run the thing.

            Does it look like a .reg file? Sure – load the gunk into the registry.

            Does it look like a vb script? Then it knows how to run it.

            There are a lot of different attachment types that would need to be blocked – not just executables.

            To counteract this, some people who send malware just a links to some compromised site, so from an email perspective there isn’t much that one can block.

            It is of course possible to configure windows from downloading executable content in a browser, but the people who serve up malware go to lengths to try and get past these things. Sometimes this leads to weird instructions about renaming the file after having downloaded – and users oftentimes are so caught up in the desire to see the content that they actually follow the instructions.

            • I agree it’s not simply in blocking executables, but I doubt any mailclient automaticly runs .reg/vb files. I do agree these should be blocked on server level. And if the mail is made to look like email they generally receive, do the Russian Bank Regulators send programs by e-mail? I hope not…

              And if the user does click a link, downloads an attachments that is not an .exe (since any browser warns about these kinds of files) and renames it, then runs it, the problem is between keyboard and chair and there aren’t many things a sysadmin can do (except denying almost every normal action in user privileges).

              • Internet Explorer will run VB script.

                So when an email comes in the gets rendered via IE, the script runs and there ya go….

                • Brian Fiori (AKA The Dean)

                  But wouldn’t a heuristic scan identify the attachment as not simply a PDF or a DOC file? Even a warning that there is more to this attachment than meets the eye, would help. Something to get the attention of the recipient and delay that click to open.

                  It seems to me using email attachments has become a terrible idea. Set up secure file sharing to distribute files, especially for banks. No?

                  • I see no reason why vb script should be an attachment but rather built into the html code itself. The best way to deal with things like this would be to have your settings adjusted to “view in plain text”. This is a big reason why the old “preview pane” thing got so many computers infected. Unfortunately, this also seems to be a thing for Ipads aswell.

              • Alex, you should go review how RSA got popped, a few years ago. Might remove some of your doubts. Seamless interoperability has a seamy side.

                While you are at it, study up on polymorphism and obfuscation techniques and reverse engineering and anti-reversing techniques.

                It seems simple, until you have to delve into the details.

                • I will! I had no intention to claim it’s an easy task however I do think that network admins have more resources (and funds) to tackle things like this compared to home users, and even on that level there are a few things you can do to prevent this.

            • A defense-in-depth approach is always desirable, but in this scenario I would look primarily to application whitelisting as the goalkeeper. If the exploit needs to write a file to disk using the user’s privilege level, and then execute it, and the filetype is among The Forbidden, then it’s arbitrarily blocked because the user’s Write permissions don’t allow adding new files to anywhere they can Execute. No signatures, heuristics or updates required. Myself, I use Software Restriction Policy for this.

              Quoting the Australian Signals Directorate:

              “At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions:”

              First on the list: application whitelisting.

              • What do you think of applocker for windows?

                • I’d be interested to try out AppLocker, but it’s a non-starter for us lowly peons who don’t have Windows 7/8 Enterprise Edition. Here’s the list of supported OSes:

                  technet.microsoft.com/en-us/library/ee424382.aspx

                  So I remain in the SRP camp, since SRP can be implemented on the Pro editions of Windows, putting it within reach of the home/SOHO folks. It’s not without its drawbacks (try making Steam and SRP coexist peacefully!), but for a locked-down environment like maybe a small bank or a public Internet computer at a hotel, it could be worth a try.

      • You have to think like this people. They read what you put here and think like you and then think of how to beat how you think!

        They can hook up executable and put it in a .pdf or .jpeg and spoof the boss’s email to you! Tell me you won’t open something from the boss just because it looks dangerous! Have fun explaining that to your boss

        • Um … all it takes is a confirmation that the reciever actually sent something. A phone call. This is not an unbeatable problem.

  3. This might seem to be a drastic solution, but I really question the value of having Microsoft Office on each and every PC.

    • Other websites mention that they used holes fixed in patches as old as 2012 and 2013. You would think that sysadmins of banks do run all the security updates, and even when they are not completely on schedule last years (well documented) holes should’ve been patched already imho.

    • Having stuff installed on each and every computer is actually part of the problem. There is a ton of things most computers don’t need to have on them. A good sysadmin will trump an automatic update any day of the week. So often, there is only one or two things a particular computer gets used for (all day long), and none of it requires certain other things (like Java). There is no justified reason for a cash register computer to even have an email client installed on it.

      You don’t have to think about updating software that isn’t even there.

      • Removing unneeded software is helpful, but these days there is so much that users expect that it’s difficult to do in practice.

        Besides, how do you remove Microsoft Office from users who need to write documents in Word and construct spreadsheets in Excel and view briefings in Powerpoint? Or remove Adobe from anyone who needs to view documents in PDF format?

        Brian reported that the malware was sent in attachments to emails purporting to be from bank regulators. It seems very likely that recipients of emails from bank regulators will have a business need for Microsoft Office and/or Adobe, so removing those is simply not feasible.

        Again, it seems so simple from the outside looking in…

        • If MS Office is needed, then it’s needed. There is no argument here. But Acrobat is NOT the only thing in the world that will render PDF files.

          All I’m saying here is that many people (employees) have no reason to view spreadsheets on certain devices. So why have a program installed that opens Excel files? If Java is required, then so be it….but it wont be used on all machines.

          This is not a catch-all sorta thing. But a good sysadmin will take what is considered “appropriate” steps.

          • Acrobat isn’t the only thing that will render PDF files, but Acrobat isn’t the only program with exploits. Often times the smaller pieces of software are actually the ones with more unpatched exploits available, simply because the smaller developers don’t have the resources to spend on security. That being said, they’d undoubtedly end up being better than Adobe’s usual screen door on a submarine approach, but better doesn’t mean perfect… so instead of targeting Acrobat they target whatever software they have installed instead and get in that way.

            The only way to really stop phishing attempts is to educate (and retain!) employees. Otherwise you’re just patching holes on that submarine’s screen door…

        • Point out the use of OpenOffice, Symphony, LibreOffice, and others that can read/write MS Office files – and in some cases do so better than MS Office can.

          For instance, any complicated Word document I first write in OpenOffice, then save to Word format, then go through and check to make sure everything is good; I typically only have to update cross-references. Why? B/c OpenOffice/LibreOffice is a lot more sane and functional wrt Outlining than MS Office is. The resultant file is also a lot smaller than what MS Office would produce.

          Of course, if you’re using MS Office you shouldn’t be suprised when you get hacked any way since the file formats – even their XML formats – often contain memory dumps with pointer references and more. Do you really want to trust MS Office when it’s doing that kind of thing?

  4. Robert Scroggins

    Once again, we have a low-tech email initiating the whole thing. Seems to me we need to educate employees about handling email.

    I suppose it is too much to ask/train employees to verify an outside sender who sends them an email attachment before they open it (just send a test reply to the email and see if it was sent from a valid address). And even if they do download the attachment, I suppose it is too much to ask/train employees to upload it to Virus Total or another online scanner to vet it before opening/viewing/executing it.

    The employees are in the front lines, and they should be taught to act accordingly!

    Regards,

    • I get various email all the time in my employee inbox that is completely legit but “looks” like spam to me. I can question it or even avoid it all together, but then the boss gets pressure from his boss when I never respond to these things. It’s a brave new world being brought to us via the cloud and all kinds of new 3rd party companies from some other country. An employee (even if given the best training) has no capability of properly dealing with it all. Things like “BYOD” that ends up where most employees access email via an Ipad where everyone trusts Apple to take care of everything means that an employee couldn’t filter out anything if they tried. Even if you where dealing with a knowledgeable “tech-savy” employee that understood the value of the Host file….no one can “legally” access it on I-devices.

    • Robert, at my job I have seen all of the following:
      – legitimate PDFs modified to insert malware
      – attachments containing malware sent from legitimate senders (forged)
      – malicious emails send from compromised senders
      – various combinations of the above.

      I have not seen a case in which malware was covertly attached to a legitimate email from a legitimate sender but I have a high degree of confidence that it is within the realm of possibility.

      So the kind of simple tests you propose just are not sufficient to be adequate protection.

      • How does one define “legitimate” though?

        It might be a legit email from your boss when his computer is infected and he doesn’t know it.

        If his boss links in something from the outside (with a naive level of trust due to his lack of understanding) and it get forwarded to me…..

        How does one define “legit” properly when it is so easy to take advantage of a system via a 1px by 1px background graphic inserted into the html of an email being housed on a CDN somewhere when all the focus on said email is in the textual body of the message itself?

        This isn’t conspiracy theory (or even theory at all). These things are actually being done.

        Let’s no forget how Target was dealt with.

    • Have you actually tried training employees? I had a Type A woman who clicked again (and again) if her print job took too long. No amount of training or threatening could change that.

  5. Dr. Zackary Smith

    Good article, Merry Christmas Krebs

  6. “Out of jail within hours” What’s that all about? Brings true meaning to the term “corruption.”

    • Or they could have simply paid bail…

      • If they had simply paid bail they should have been tried by now. They’d already had criminal charges brought against them, that’s why they got arrested in the first place. Does it take the better part of 3 years to go from arrest to trial?

  7. pointless,…dont steal were u eat !!!

  8. If these guys were so smart, why did they steal rubles?

  9. How long before either a faction of this group or someone inspired by the concept hits US banks, and how happy is BoCitiWells going to be about it when it happens.

    Also wondering, if the heisters were operating against banks in their country of residence, what their punishment will be consisting of.

  10. Hey how bright are they??? They got cash in rubles..

  11. If i was a crook (Im not) then i would find a disgruntled, impoverished, addicted, gambler with a grudge or a need and simply pay them to plug in a USB and the rest is history. Its way easier to open a door from the inside to get out! SONY sacked a couple of thousand & its a good bet someone decided to sell them out, banks are where the money is so they get the same treatment. networks are way to easy to circumvent, as a kid on C64’s TLOM (the lords of midnight) hacked half a dozen systems, just to route a message to the machine next to it. The easy part was getting in, human fraility. Nothing has changed, i keep abreast of security and am still amazed at how lax we are now were in the cyber, machine age.

    • thats usually how it happens.

    • It sounds like you’re thinking of a USB AutoRun attack. They are actually one of the easier attack vectors to defend against, especially since Microsoft released this update:

      support.microsoft.com/kb/971029

      As defense-in-depth, disabling AutoRun using Group Policy would be a good move with low user impact (Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies, and set all the policies listed there). This provides defense against an Autorun attack from a CD or DVD.

      For those without a Group Policy (meaning the Home or Basic/Starter variants of Windows), you can use yonder Fix-It (scroll down to the Fix-It icons):

      support.microsoft.com/kb/967715

      And not to be the proverbial “broken record,” but application whitelisting would also arbitrarily block the execution of whatever payload they’re trying to launch.

      Tangentially, for the power-user readers looking to heavily lock down a computer in an exposed location, security pro Didier Stevens has his ARIAD utility. Use with care and if you’re on 64-bit, follow his instructions carefully about installing the 64-bit version of the driver.

      • There are a lot more exploits to USB than just AutoRun. Think of Stuxnet-like attacks that used a zero-day to spread via USB. I’m pretty sure an elite team of criminal hackers could either craft or purchase a zero-day for that purpose. And with BadUSB being a pretty much unbeatable attack vector at this time, you really can’t trust USB at all: https://srlabs.de/badusb/

        • I’m not one to underestimate the ingenuity of attackers, but from what I’ve read on BadUSB, it amounts to “this can take malicious actions in the context of the logged-on user,” and the examples they give are changing DNS entries, modifying system files, and downloading & executing malware using a command prompt. Well, a non-Admin cannot do the former two instances, and application whitelisting will block execution of the latter. What would concern me more would be, say, scarfing up all available files and sending copies to the attacker, encrypting them for ransom, etc.

          Stuxnet was a good example of the “never say never” rule, though.

  12. I’ve always asked myself why this doesn’t happen more. Why do they steal whole ATMs trying to open the safe with the money, when many ATMs actually only store the money in a safe with the computer outside the safe. Just send the command to dispense all the cash and done…

  13. Stop the bleeding – some of the best advice I’ve heard in a LONG while!

  14. The reality is the as Leonard Cohen said is his song, “the good guys lost.” Not forever I believe, but for now the battle has swing in favor of the Blackhats by a wide margin.

    There are many important security practices: DnD, patching, NSM, Vuln testing, etc which don’t really provide perfect protection as much as they serve as a “minimum” effort to not be completely overrun by attackers.

    The human factor is really the most critical one I believe.

    Also, new research and techniques and very needed.

    Probably one of our greatest assets is Mr. Krebs himself, who bravely does his amazing work day in and day out.

    Thanks Brian, I purchase your audio book in support of your efforts.

    Happy Holidays to all!

  15. But, who needs access to the bank, when the servicers of the ATM are the mob? Kc star, this past fall. Don’t remember the date. But search for Civella. Yeah, chi mob. Working for the ATM servicing company, had access to the money slot. Had access to the keys, and was caught siphoning off several bills. Why? Now he’s in the clear, what else was done after? There are only so many basic keys to a machine. But all ATM’s are connected to a basic circuit, how many would you need to blame someone else?
    The Russians have been here since the seventies, all main mobs work in territories, feifdoms.

  16. quote: There are many important security practices: DnD, patching, NSM

    What’s a DnD (in this context)? Do not duplicate?

    What’s an NSM (in this context)? Network security management?

  17. In Russia, policing in major cities is actually performed by territorial militia, who are primarily instruments of state security, not criminal justice. Catching crooks and mobsters is a secondary function, and has much less emphasis and resources. Criminal forensics are spectacularly inept and miscarriages of justice are common. Russian judges are informally instructed by the government as to what findings they will make and sentences they will impose. Literally thousands of Russians have been convicted of, and frequently executed for, capital crimes committed by others. Occasionally special task forces arrest a criminal kingpin, but he is usually part of the established order, with partners and allies in the Kremlin and Duma. After subtle negotiations within the power structure, he is released. What you must understand is that criminals are integrated into the State; corruption is universal. Militia patrolmen and detectives make (legitimately) about 25% of what their Western counterparts earn. Inflation depreciates this to great extent. They are expected to supplement this with bribes and extortion to approximate a living wage.
    This is simply how the police are funded.
    Regulatory and taxing authorities are the same way; just the numbers are bigger. Every enterprise and NGO in Russia with significant cash flow pays a huge “tax” of bribes to government functionaries and organized crime for the privilege of remaining in operation. Banks are especially burdened. As serial bank robber Willie Sutton said, “That’s where the money is..” Most financial institutions remain solvent by allying with and funding a major power bloc within the state, which protects them from the others. These moral circumstances predate the fall of the USSR; they even predate the 19th Century Czars. They are a reflection of pseudo-Oriental political absolutism and peculiarities of the Russian character and culture. The population at large is stoical and cynical. They have been told for centuries that Western societies are classist, plutocratic and condescending, if not outright hostile. Russians expect a domestic screwing and delight if homegrown talent can inflict discomfiture on foreigners as well. In this atmosphere neither a successful extradition for a cyber crime nor a domestic crackdown on hacker criminals is very likely.