Yesterday I attended an interesting conference organized byVTBandAssociation of Corporate Treasurers“Optimization and ensuring the safety of cash flows.”
I liked one of the reports on the situation with cyber threats, the abstracts of which I would like to share.
Cyberthreats (Group-IB):
RBS Fraud Statistics:
In general, there is a decrease in threats such as:
Theft in Internet banking from legal entities (-12%)
Theft in Internet banking from the FI (-100%)
PL theft with Android Trojans (-77%)
Targeted attacks on banks in the Russian Federation (-20%)
Cashing of stolen funds (-26%)
Growth only in Phishing: 6%.
The reduction in threats is caused by a decrease in the interest of groups in the Russian Federation and the transition to less protected countries.
One of the serious threats to legal entities is"BUHTRAP".
Kill chain:
Infection - through mailing lists with a malicious attachment disguised as a message from a bank.
Workaround - UAC, mimimod for getting OS records, RPD / VNC / LiteManager
Destruction - OS and traces of work
Launch - auto-loading module for “1C: Enterprise in a browser”
Bypass - protection “1C: Enterprise“ Security control exchange with the bank ”.
In the second half of 2018, more than 600 legal entities’ accounts were infected.
Targeted attacks on banks (groupings, direction blows):
ANUNAK (Internet banking, AWS CBD, SWIFT, ATMs, payment gateways, card processing)
CORKOW (trading terminals, card processing, ATMs)
stand alone BUHTRAP
LURK (AWB CBD)
COBALT (ATMs, card processing, SWIFT, payment gateways)
MONEYTAKER (ATMs, card processing, ARB CBD)
SILENCE (ATMs, card processing, ARB KBR)
LAZARUS (SWIFT, card processing)
BLACKENERGY (sabotage)
AWP KBR - an automated workplace of the Central Bank of the Russian Federation.
At the moment, the last 5 from the list are active: COBALT, MONEYTAKER, SILENCE, LAZARUS (has been active for about 5 years), BLACKENERGY.
Examples of attacks:
2015/01 - Ecuador, Banco del Austro, stole $ 12 million
10.2015 - Vietnam, Tien Phong Bank, $ 1.36 million stolen
02.2016 - Bangladesh, Central Bank, Lazarus, attempted theft of $ 951 million
04.2016 — Ukraine, Credit Dnepr bank, Cobalt, $950,000 stolen from an attempt to steal $10 million.
12.2016 - Turkey, AkBank, Lazarus, $ 4 million stolen
2017-04 - B.Vostok, LatAmerica, Shadow Brokers published information about the Equation Group (USA) attacks on SWIFT
12.2017 - Russia, bank, Cobalt, $ 1 million stolen from an attempt of $ 5 million
01.2018 - Mexico, Bancomext, Presumably Lazarus, $ 110 million stolen
02.2018 - India, 2 banks, $1.7 million and $1.87 million stolen.
05.2018 — Chile, Banco de Chile, Presumably Lazarus, $10 million stolen
Example of an attack on a brokerage system:
09/18/2014 Infection:
13:21 — Vulnerability exploitation
13:22 — Installing the Trojan
13:24 — Sending data
System Information Collection:
19.09 — start of the collection.
September, October and November - Analysis of Actions.
10.12 - Launching the keyboard spy
Incident:
27.02.2015
12:30 — Remote system management
12:32 — Formation of applications on the exchange
12:44 — System destruction
14 minutes duration of the attack.
Threats for the cryptocurrency market:
</strong>Attack Example:
Phishing site for the Chinese cryptocurrency exchange Binance
Collection of logins and passwords of traders
Generate API keys for automated work with the exchange
within 2 minutes - generation of orders on behalf of traders for Viacoin currency
Viacoin rate growth
Selling Viacoin for Bitcoin at an inflated rate
The greatest danger to the system is considered to be double spending.
"51% Attack"
Owning 51% of the power, an attacker can create a hidden alternative blockchain and use it to confirm their own transactions.
Verge - an attacker has extracted cryptocurrency worth more than $ 1 million.
Bitcoin Gold - the attacker has extracted cryptocurrency worth more than $ 18 million.
SuperNova reported a 51% attack on Verge.
ZenCash - Attacker Mined Over $550K in Cryptocurrency
Litecoin Cash — LTC Cryptocurrency Fork Faces '51% Attack'