Illusive Blog December 13, 2017

Prevent Cybercrime from The MoneyTaker Hacking Group

By Matan Kubovsky

The threat news of the week is about MoneyTaker – a cybercrime group apparently responsible for theft of over $10M from 18 banks in the US and Russia. If you’ve read any of the online accounts, it’s easy to be overwhelmed by the details and the growing sophistication of cybercrime groups. While it’s important not to downplay their fierceness and the growing risks associated with advanced persistent threats, it’s also important to focus on the relatively simple capability organizations can embrace to combat them.

In a Nutshell

MoneyTaker developed two means of manipulating transactions. In one set of attacks, they manipulated payment order messages; on the backend of the transactions, they would restore payment requests to their original amounts to avoid detection. In other cases, MoneyTaker would eliminate or modify withdrawal limits so money mules could extract unauthorized funds from ATM machines.

There are several over-arching points to note:

  • Financial messaging systems are again the vehicle – a lucrative means to redirect large sums of money. In 2016, SWIFT systems were targeted to conduct the infamous theft of $81M from Bangladesh Bank. It was a wake-up call — both for SWIFT, which took new security measures, and for the organizations using SWIFT, some of which have implemented purpose-built solutions to secure SWIFT operations. MoneyTaker follows in this vein, targeting First Data’s STAR ATM messaging network and AWS CBR, a financial messaging system used in Russia. There are indications that the group may also be targeting SWIFT systems and OceanSystem’s FedLink, a card processing system widely used in Latin America.

  • Smaller, less cyber-fortified organizations are the target. As is often the case, MoneyTaker seems to take advantage of organizations with less robust cybersecurity measures in place.

  • MoneyTaker reflects the growing sophistication of cybercrime networks. MoneyTaker uses a combination of common IT tools, MOTS (malicious off-the-shelf) products, and its own specialized malware to execute processes on proprietary systems and software, in order to, for example, substitute payment transfer information. It relies heavily on newer “fileless” malware that operates in system memory and leaves almost no trace on the computers it touches.

  • The attacks required a reconnaissance and lateral movement process once within the victims’ networks. To manipulate transactions and accounts, the attackers had to gain control over workstations used to connect to the financial messaging services. Finding and getting to these systems typically requires a fairly lengthy discovery process. In this case, attackers would likely have used tools to harvest Domain Admin credentials that could accelerate the process of moving from system to system.

Here’s the one most important thing to do

So what do we draw from this? Threat analysts will research the details of the attack and determine how security controls can be improved. New approaches will evolve to detect fileless malware. But most immediately, one simple capability can help prevent a successful MoneyTaker-style attack: the ability to detect malicious lateral movement in your network.

Advanced attacks vary widely in their methods—some well-known, and some newly introduced—but they have one key thing in common: Once the attacker gets past your security controls and lands somewhere in your network, he must traverse the environment to get to your “Crown Jewels.” With the ability to detect the movements of the attacker, you can catch him early in the process – before he reaches his destination.

Endpoint-based deception technology provides a ready-made capability to detect lateral movements—a fundamental and universal component of APT-style attacks—helping you be ready for the attackers who are revealed today, and the ones we haven’t yet seen.