September 19, 2020

Cyber ​​threats: remote banking, brokerage accounts, cryptocurrencies

Yesterday I attended an interesting conference organized by VTB and Association of Corporate Treasurers "Optimization and security of cash flows."
I liked one of the reports on the situation with cyber threats, theses of which I would like to share.

Cyberthreats (Group-IB):

RBS Fraud Statistics:
In general, there is a reduction in threats such as:

  • Theft in Internet banking from legal entities (-12%)
  • Theft in Internet banking from the FI (-100%)
  • PL theft with Android Trojans (-77%)
  • Targeted attacks on banks in the Russian Federation (-20%)
  • Cashing of stolen funds (-26%)
  • Growth only in Phishing: 6%.

    The reduction in threats is caused by a decrease in the interest of groups in the Russian Federation and the transition to less protected countries.

    One of the serious threats to YL - "BUHTRAP".

    Kill chain:

  • Infection - through mailing lists with a malicious attachment disguised as a message from a bank.
  • Workaround - UAC, mimimod for getting OS records, RPD / VNC / LiteManager
  • Destruction - OS and traces of work
  • Launch - auto-loading module for “1C: Enterprise in a browser”
  • Bypass - protection “1C: Enterprise“ Security control exchange with the bank ”.
  • In the second half of the 18th year more than 600 YL accounts were infected.

    Targeted attacks on banks (groupings, direction blows):

  • ANUNAK (Internet banking, AWS CBD, SWIFT, ATMs, payment gateways, card processing)
  • CORKOW (trading terminals, card processing, ATMs)
  • stand alone BUHTRAP
  • LURK (AWB CBD)
  • COBALT (ATMs, card processing, SWIFT, payment gateways)
  • MONEYTAKER (ATMs, card processing, ARB CBD)
  • SILENCE (ATMs, card processing, ARB KBR)
  • LAZARUS (SWIFT, card processing)
  • BLACKENERGY (sabotage)
  • AWP KBR - an automated workplace of the Central Bank of the Russian Federation.

    Currently the last 5 from the list are active: COBALT, MONEYTAKER, SILENCE, LAZARUS (has been operating for about 5 years), BLACKENERGY.

    Examples of attacks:

  • 2015/01 - Ecuador, Banco del Austro, stole $ 12 million
  • 10.2015 - Vietnam, Tien Phong Bank, $ 1.36 million stolen
  • 02.2016 - Bangladesh, Central Bank, Lazarus, attempted theft of $ 951 million
  • 04.2016 - Ukraine, Credit Dnepr Bank, Cobalt, stolen 950k. dollars from an attempt to steal 10 million
  • 12.2016 - Turkey, AkBank, Lazarus, $ 4 million stolen
  • 2017-04 - B.Vostok, LatAmerica, Shadow Brokers published information about the Equation Group (USA) attacks on SWIFT
  • 12.2017 - Russia, bank, Cobalt, $ 1 million stolen from an attempt of $ 5 million
  • 01.2018 - Mexico, Bancomext, Presumably Lazarus, $ 110 million stolen
  • 02.2018 - India, 2 banks, 1.7 million and 1.87 million dollars were stolen
  • 05.2018 - Chile, Banco de Chile, Presumably Lazarus, $ 10 million stolen
  • Example of an attack on a brokerage system:

    09/18/2014 Infection:
    13:21 - Exploitation of the vulnerability
    13:22 - Installing a Trojan
    13:24 - Sending data

    System Information Collection:
    September 19 - the start of the collection.
    September, October and November - analysis of actions.
    10.12 - launch of the keylogger

    Incident:
    02/27/2015
    12:30 - Remote system management
    12:32 - Formation of applications for the exchange
    12:44 - Destruction of the system

    14 minutes attack duration.

    Threats for the cryptocurrency market:

    </strong>Attack Example:

  • Phishing site for the Chinese cryptocurrency exchange Binance
  • Collection of logins and passwords of traders
  • Generate API keys for automated work with the exchange
  • within 2 minutes - generation of orders on behalf of traders for Viacoin currency
  • Viacoin appreciation
  • Viacoin selling for Bitcoin at an overvalued rate
  • The greatest danger to the system is considered to be double spending.

    "Attack 51%"

    Owning 51% of the power, an attacker can create a hidden alternative blockchain and use it to confirm their own transactions.

  • Verge - an attacker has extracted cryptocurrency worth more than $ 1 million.
  • Bitcoin Gold - the attacker has extracted cryptocurrency worth more than $ 18 million.
  • SuperNova reported a 51% attack on Verge.
  • ZenCash - an attacker has extracted cryptocurrency worth more than 550k. Doll.
  • Litecoin Cash - LTC cryptocurrency fork faces 51% attack