Eastern European Bank Hackers Wield Malicious Hardware'DarkVishnya' Heists Stole Tens of Millions of Dollars, Kaspersky Lab Says
Eastern European hackers have been plugging inexpensive hardware into banks' local area networks to help perpetrate heists that have stolen tens of millions of dollars.
The attack campaign, dubbed DarkVishnya - dark cherry - has targeted at least eight Eastern European banks, says Sergey Golovanov, a principal security researcher at Moscow-based endpoint security firm Kaspersky Lab, which was called in to investigate the thefts.
"Each attack had a common springboard: an unknown device directly connected to the company's local network," he says in a blog post. "In some cases, it was the central office, in others a regional office, sometimes located in another country."
Catch Me If You Can
Golovanov says that the attack campaign began in 2017 and has continued throughout this year. In all of the attacks, he says the attackers have made use of one of these types of computing devices:
- Inexpensive portables: Low-cost laptops and netbooks;
- Raspberry Pi: A credit-card-sized computer that costs $35 and up;
- Bash Bunny: A $100 USB stick designed for penetration testers and systems administrators that manufacturer Hak5 bills as being "a simple and powerful multifunction USB attack and automation platform"
Golovanov says the choice of device appeared to be tied to an attacker's ability and, no doubt, simply preferences. Once connected to a targeted LAN, attackers gained remote access by using a built-in or USB-connected LTE, GPRS or 3G modem.
Three Attack Stages
Successful attacks progressed through three stages, Kaspersky Lab reports:
- Physical access: Attackers, potentially posing as couriers or job seekers, entered a facility and looked for a place to connect their device, often in a meeting room. "Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion," Golovanov says.
- Remote reconnaissance: With the device in place, attackers would remotely connect to the hidden device and begin conducting reconnaissance, as well as brute-force sniffing for login data, to attempt to identify any workstations or servers involved in handling payments. To bypass internal firewall restrictions, "they planted shellcodes with local TCP servers," Golovanov says. "If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels."
- Remote login: Once attackers identified a system used to make payments, they worked to gain persistent remote access to the system and then remotely ran executable files.
Golovanov says the attackers' MO was to remotely install msfvenom, which is a stand-alone payload generator for Metasploit, an open source penetration testing toolkit.
"Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies," Golovanov says (see: Locking Down PowerShell to Foil Attackers: 3 Essentials).
"If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe, to run executable files remotely," he adds. All of those tools can provide administrators - or in this case, attackers - with the ability to remotely install and execute files.
Malicious Hardware Evolves
Plugging low-cost devices into target networks to steal cash isn't new, conceptually speaking.
One tried-and-true attack against retail establishments, restaurants and hotels that use point-of-sale devices to read customers' payment cards involves a two-man crew entering a building. One attacker distracts an employee while the other swaps a legitimate payment card reader with a look-alike version that has a skimmer installed. The skimmer then begins keeping a copy of all cards that get swiped, for later retrieval, potentially remotely, by attackers.
Security researchers have also been demonstrating how hobbyist hardware might be put to use by crime gangs. At the 2014 Black Hat Europe conference in Amsterdam, for example, two security researchers showed how they were able to program a Raspberry Pi and connect it to the port of an ATM to bypass the ATM's own systems and instruct the machine's cash dispenser to spit out all of its money (see: Hacking ATMs: No Malware Required).
The DarkVishnya campaign shows that as small, powerful and relatively inexpensive computing devices proliferate, and cost little enough that they can be treated as disposable, hackers will find innovate new ways to use them.