George Clooney…Brad Pitt…Matt Damon……what am I referring to? You got it right. I am talking about the great comedy heist movie Ocean’s 11. I am sure most of you have seen that movie in which, Danny Ocean wants to score the biggest heist in history by robbing three big casinos at the same time. It sounds unreal and most of us think that this can only happen in movies and not in real life. But something similar happened in past few days when a hackers ring stole $1 Billion!! Yes, hundreds of millions of dollars were stolen from 100 banks in 30 countries. Would you believe it? There have been lot of hacks over the years but this one is really unprecedented.

Who were they?

If we look back at the history of hacks, we see a single hacker or at times a group of hackers who get together to accomplish a particular trap. But this time it just got bigger. Hackers from various countries mainly like Russia, China and European countries got together to execute this heist.

Their Target

Russian banks were among the mostly attacked ones, but hackers were also found going after financial institutions in the United States, Germany, China and Ukraine as per the media.

How did they do it?

Unlike real-life thefts…No guns …No bloodshed….weapons used where Phishing & Botnets.

They send Malware-laced emails to employees of the bank. When employees opened the attachment, malware got installed on their machines and which allowed the hackers to sneak in to their computer systems. Then they took time to spread into the network and found out worthy victims and critical servers before executing the cash outs.

According to Kaspersky report, the spear phishing emails contained attachments with weaponized Microsoft Word 97 – 2003 (.doc) and Control Panel Applet (.CPL) files. The malicious files exploit Microsoft Office (CVE- 2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761) to execute shellcode, which decrypts and executes the Carbanak backdoor. One of the best methods for detecting Carbanak is to look for “.bin” files in the folder: ..\All users\%AppData%\Mozilla\

After compromising a system, the attackers installed additional software such as the Ammyy Remote Administration Tool, or breach SSH servers. Ammyy was a preferred tool for the attackers because it is white listed by many organizations for use by systems administrators. They also took control of video surveillance system to monitor the activities of administrators and employees. After studying everything, they infiltrated banks and turned ATMs into cash-spewing zombies.

Possible Reasons why such kinds of heist become successful

• Backend Servers that process ATM transactions are not isolated from LAN segment
• ATM terminals (Windows) are not updated/patched
• Allowing unnecessary services such as FTP and file sharing, gives malicious intruders more potential attack surfaces
• Linking ATMs to IP-based networks opens more opportunities for hackers to sniff the information
• Bank servers and networks are not protected against web based attacks
• No protection against Phishing attacks
• No protection against Botnet
• End points are not secured which can lead attackers to use Flash drives to spread malwares
• Change default passwords of ATM and Servers, as in a different hack recently a 19-year-old grocery store employee stole hundreds of thousands of dollars from ATMs
• Servers that process ATM transactions must be placed in a separate zone isolated from other network segments
• Keep your in-bound anti-spam enabled, along with Anti-Virus scanning of attachments
• Enable outbound anti-spam scanning on Cyberoam, to prevent your domain/public IP from getting blacklisted by ISP’s and anti-spam majors in case any internal host gets infected
• Keep IPS enabled for outbound traffic, to block malwares communication with its Command and Control center
• Educate end users to avoid opening attachments in suspicious emails, especially if it is a compressed file
• Implement end point security along with Perimeter Security
• Servers/Machines/ATM systems OS must be updated and patched

Cyberoam Recommendations

• Change default passwords of ATM and Servers, as in a different hack recently a 19-year-old grocery store employee stole hundreds of thousands of dollars from ATMs
• Servers that process ATM transactions must be placed in a separate zone isolated from other network segments
• Keep your in-bound anti-spam enabled, along with Anti-Virus scanning of attachments
• Enable outbound anti-spam scanning on Cyberoam, to prevent your domain/public IP from getting blacklisted by ISP’s and anti-spam majors in case any internal host gets infected
• Keep IPS enabled for outbound traffic, to block malwares communication with its Command and Control center
• Educate end users to avoid opening attachments in suspicious emails, especially if it is a compressed file
• Implement end point security along with Perimeter Security
• Servers/Machines/ATM systems OS must be updated and patched

Stay updated, stay secure.

For similar security updates and recommendations, subscribe to Cyberoam Blogs.