Yesterday I attended an interesting conference organized by VTB and Association of Corporate Treasurers "Optimization and security of cash flows."
I liked one of the reports on the situation with cyber threats, theses of which I would like to share.
Cyberthreats (Group-IB):
RBS Fraud Statistics:
In general, there is a reduction in threats such as:
Theft in Internet banking from legal entities (-12%)
Theft in Internet banking from the FI (-100%)
PL theft with Android Trojans (-77%)
Targeted attacks on banks in the Russian Federation (-20%)
Cashing of stolen funds (-26%)
Growth only in Phishing: 6%.
The reduction in threats is caused by a decrease in the interest of groups in the Russian Federation and the transition to less protected countries.
One of the serious threats to YL - "BUHTRAP".
Kill chain:
Infection - through mailing lists with a malicious attachment disguised as a message from a bank.
Workaround - UAC, mimimod for getting OS records, RPD / VNC / LiteManager
Destruction - OS and traces of work
Launch - auto-loading module for “1C: Enterprise in a browser”
Bypass - protection “1C: Enterprise“ Security control exchange with the bank ”.
In the second half of the 18th year more than 600 YL accounts were infected.
Targeted attacks on banks (groupings, direction blows):
ANUNAK (Internet banking, AWS CBD, SWIFT, ATMs, payment gateways, card processing)
CORKOW (trading terminals, card processing, ATMs)
stand alone BUHTRAP
LURK (AWB CBD)
COBALT (ATMs, card processing, SWIFT, payment gateways)
MONEYTAKER (ATMs, card processing, ARB CBD)
SILENCE (ATMs, card processing, ARB KBR)
LAZARUS (SWIFT, card processing)
BLACKENERGY (sabotage)
AWP KBR - an automated workplace of the Central Bank of the Russian Federation.
Currently the last 5 from the list are active: COBALT, MONEYTAKER, SILENCE, LAZARUS (has been operating for about 5 years), BLACKENERGY.
Examples of attacks:
2015/01 - Ecuador, Banco del Austro, stole $ 12 million
10.2015 - Vietnam, Tien Phong Bank, $ 1.36 million stolen
02.2016 - Bangladesh, Central Bank, Lazarus, attempted theft of $ 951 million
04.2016 - Ukraine, Credit Dnepr Bank, Cobalt, stolen 950k. dollars from an attempt to steal 10 million
12.2016 - Turkey, AkBank, Lazarus, $ 4 million stolen
2017-04 - B.Vostok, LatAmerica, Shadow Brokers published information about the Equation Group (USA) attacks on SWIFT
12.2017 - Russia, bank, Cobalt, $ 1 million stolen from an attempt of $ 5 million
01.2018 - Mexico, Bancomext, Presumably Lazarus, $ 110 million stolen
02.2018 - India, 2 banks, 1.7 million and 1.87 million dollars were stolen
05.2018 - Chile, Banco de Chile, Presumably Lazarus, $ 10 million stolen
Example of an attack on a brokerage system:
09/18/2014 Infection:
13:21 - Exploitation of the vulnerability
13:22 - Installing a Trojan
13:24 - Sending data
System Information Collection:
September 19 - the start of the collection.
September, October and November - analysis of actions.
10.12 - launch of the keylogger
Incident:
02/27/2015
12:30 - Remote system management
12:32 - Formation of applications for the exchange
12:44 - Destruction of the system
14 minutes attack duration.
Threats for the cryptocurrency market:
</strong>Attack Example:
Phishing site for the Chinese cryptocurrency exchange Binance
Collection of logins and passwords of traders
Generate API keys for automated work with the exchange
within 2 minutes - generation of orders on behalf of traders for Viacoin currency
Viacoin appreciation
Viacoin selling for Bitcoin at an overvalued rate
The greatest danger to the system is considered to be double spending.
"Attack 51%"
Owning 51% of the power, an attacker can create a hidden alternative blockchain and use it to confirm their own transactions.
Verge - an attacker has extracted cryptocurrency worth more than $ 1 million.
Bitcoin Gold - the attacker has extracted cryptocurrency worth more than $ 18 million.
SuperNova reported a 51% attack on Verge.
ZenCash - an attacker has extracted cryptocurrency worth more than 550k. Doll.
Litecoin Cash - LTC cryptocurrency fork faces 51% attack