February 10, 2025

Cyber ​​threats: remote banking, brokerage accounts, cryptocurrencies

Yesterday I attended an interesting conference organized byVTBandAssociation of Corporate Treasurers“Optimization and ensuring the safety of cash flows.”
I liked one of the reports on the situation with cyber threats, the abstracts of which I would like to share.

Cyberthreats (Group-IB):
 
RBS Fraud Statistics:
In general, there is a decrease in threats such as:

  • Theft in Internet banking from legal entities (-12%)
  • Theft in Internet banking from the FI (-100%)
  • PL theft with Android Trojans (-77%)
  • Targeted attacks on banks in the Russian Federation (-20%)
  • Cashing of stolen funds (-26%)
  • Growth only in Phishing: 6%.

    The reduction in threats is caused by a decrease in the interest of groups in the Russian Federation and the transition to less protected countries.

    One of the serious threats to legal entities is"BUHTRAP".

    Kill chain:

  • Infection - through mailing lists with a malicious attachment disguised as a message from a bank.
  • Workaround - UAC, mimimod for getting OS records, RPD / VNC / LiteManager
  • Destruction - OS and traces of work
  • Launch - auto-loading module for “1C: Enterprise in a browser”
  • Bypass - protection “1C: Enterprise“ Security control exchange with the bank ”.
  • In the second half of 2018, more than 600 legal entities’ accounts were infected.

    Targeted attacks on banks (groupings, direction blows):

  • ANUNAK (Internet banking, AWS CBD, SWIFT, ATMs, payment gateways, card processing)
  • CORKOW (trading terminals, card processing, ATMs)
  • stand alone BUHTRAP
  • LURK (AWB CBD)
  • COBALT (ATMs, card processing, SWIFT, payment gateways)
  • MONEYTAKER (ATMs, card processing, ARB CBD)
  • SILENCE (ATMs, card processing, ARB KBR)
  • LAZARUS (SWIFT, card processing)
  • BLACKENERGY (sabotage)
  • AWP KBR - an automated workplace of the Central Bank of the Russian Federation.

    At the moment, the last 5 from the list are active: COBALT, MONEYTAKER, SILENCE, LAZARUS (has been active for about 5 years), BLACKENERGY.

    Examples of attacks:

  • 2015/01 - Ecuador, Banco del Austro, stole $ 12 million
  • 10.2015 - Vietnam, Tien Phong Bank, $ 1.36 million stolen
  • 02.2016 - Bangladesh, Central Bank, Lazarus, attempted theft of $ 951 million
  • 04.2016 — Ukraine, Credit Dnepr bank, Cobalt, $950,000 stolen from an attempt to steal $10 million.
  • 12.2016 - Turkey, AkBank, Lazarus, $ 4 million stolen
  • 2017-04 - B.Vostok, LatAmerica, Shadow Brokers published information about the Equation Group (USA) attacks on SWIFT
  • 12.2017 - Russia, bank, Cobalt, $ 1 million stolen from an attempt of $ 5 million
  • 01.2018 - Mexico, Bancomext, Presumably Lazarus, $ 110 million stolen
  • 02.2018 - India, 2 banks, $1.7 million and $1.87 million stolen.
  • 05.2018 — Chile, Banco de Chile, Presumably Lazarus, $10 million stolen
  • Example of an attack on a brokerage system:

    09/18/2014 Infection:
    13:21 — Vulnerability exploitation
    13:22 — Installing the Trojan
    13:24 — Sending data

    System Information Collection:
    19.09 — start of the collection.
    September, October and November - Analysis of Actions.
    10.12 - Launching the keyboard spy

    Incident:
    27.02.2015
    12:30 — Remote system management
    12:32 — Formation of applications on the exchange
    12:44 — System destruction

    14 minutes duration of the attack.

    Threats for the cryptocurrency market:

    </strong>Attack Example:

  • Phishing site for the Chinese cryptocurrency exchange Binance
  • Collection of logins and passwords of traders
  • Generate API keys for automated work with the exchange
  • within 2 minutes - generation of orders on behalf of traders for Viacoin currency
  • Viacoin rate growth
  • Selling Viacoin for Bitcoin at an inflated rate
  • The greatest danger to the system is considered to be double spending.

    "51% Attack"

    Owning 51% of the power, an attacker can create a hidden alternative blockchain and use it to confirm their own transactions.

  • Verge - an attacker has extracted cryptocurrency worth more than $ 1 million.
  • Bitcoin Gold - the attacker has extracted cryptocurrency worth more than $ 18 million.
  • SuperNova reported a 51% attack on Verge.
  • ZenCash - Attacker Mined Over $550K in Cryptocurrency
  • Litecoin Cash — LTC Cryptocurrency Fork Faces '51% Attack'