During 2017 and 2018, Kaspersky Lab experts were involved in incident response following a number of cyber-robberies targeting financial organisations in Eastern Europe.
The researchers discovered that in each case the corporate network was breached through an unknown device, controlled by the attackers, which had been smuggled into a company building and connected to the network. To date, at least eight banks in the region have been attacked in this way, with estimated losses running into tens of millions of dollars.
The attackers used three types of devices: a laptop, a Raspberry Pi (a single-board computer size of a credit card) or a Bash Bunny (a specially designed tool for automating and conducting USB attacks), equipped with a GPRS, 3G- or LTE- modem that allowed the attackers to penetrate remotely the corporate network of the financial organisation.
Once the connection was established, the cybercriminals tried to gain access to the web servers to steal the data they needed to run RDP (remote desktop protocol) on a selected computer and then seize funds or data. This fileless method of attack included the use of Impacket, winexesvc.exe, or psexec.exe remote execution toolkits. In the final stage, the attackers used remote control software to maintain access to the infected computer.
“Over the past year and a half, we’ve been observing a completely new type of attacks on banks, quite sophisticated and complex in terms of detection. The entry point to the corporate network remained unknown for a long time, since it could be located in any office in any region. These unknown devices, smuggled in and hidden by intruders, could not be found remotely. Additionally, the threat actor used legitimate utilities, which complicated the incident response even more,” said Sergey Golovanov, security expert at Kaspersky Lab
To protect against this unusual approach to digital robbery, Kaspersky Lab advises financial institutions to:
- Pay particular attention to the monitoring of connected devices and accessing the corporate network, for example by using Kaspersky Endpoint Security for business.
- Eliminate security holes altogether, including those involving improper network configurations. For this, the Kaspersky Penetration Testing service is a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising organisations on how to fix it, further strengthening corporate security.
- Use a specialised solution against advanced threats that can detect all types of anomalies and scrutinise suspicious activities in a network at a deeper level to reveal, recognise and uncover complex attacks – like Kaspersky Anti Targeted Attack Platform.Kaspersky Endpoint Security for business