Bank breaches are not breaking news. Cyber criminals will continue to target financial institutions, especially because such attacks are often extremely lucrative. Case in point: the recent revelation that The National Bank of Blacksburg was hacked not once, but twice, within 8 months and the perpetrators made off with $2.4 million.
In both attacks, phishing emails allowed the criminals to gain access to the bank’s IT infrastructure. While companies continue to invest heavily in employee training and technologies to thwart phishing attacks, purposeful hackers continue to succeed with varying tactics, whether it’s with insider accomplices, credential harvesting, malicious macros, or social engineering. Once hackers breach an organization, it becomes very difficult for traditional cyber security tools (SIEM/Anti-Malware/etc.) to detect and stop them.
Once the hackers infiltrated the bank’s network, their next moves were all too familiar; enumerate the environment, identify privileged accounts, laterally spread to other devices and networks, and obtain privileged credentials. These activities occur in almost all modern day attacks. In this particular attack, the hackers gained administrative privileges and laterally spread to key financial networks (STAR network and Navigator) to alter debit card anti-fraud protections to allow millions of dollars to be withdrawn from ATMs.
While no organization wants to get breached, many organizations today realize that attacks do occur and often purchase various cyber security insurance policies. In the event of a cyber incident, these policies help organizations cover the costs of post-breach forensics, data recovery, infrastructure re-building, and other financial losses. Fortunately, the National Bank of Blacksburg had several insurance policies with the Everest National Insurance Company. The bank had both a computer and electronic (C&E) crime rider that covered $8 million in liability and a debit card rider that covered $50,000 in liability. In a further hit to the bank, however, the insurance company only paid out on the debit card rider because the money stolen was accessed through illicit debit card withdrawals at ATMs.
Based on the style, techniques, and tools used in this financial institution hack, the likely culprit was a Russian-speaking attack group dubbed MoneyTaker by Group-IB, a threat intelligence and anti-fraud solution company. Research by Group-IB shows that this MoneyTaker organization has conducted over 20 successful bank hacks and legal firm breaches throughout the world. Like many cyber-criminal groups, MoneyTaker leverages both borrowed and self-written tools and employs tactics such as ‘fileless’ malware, persistence via PowerShell and Visual Basic scripts (VBS), and valid SSL certs from legitimate companies to hide their command & control (C&C) communications. Most of these tactics and toolsets go undetected by traditional Anti-Malware as well as by traffic analyzers and “next-gen” Endpoint Detection and Response (EDR) platforms.
We learn valuable lessons from successful cyber attacks; here are a few that we've learned from the The National Bank of Blacksburg incident:
- Spear-phishing and other breach tactics are successful and will continue to be successful; attempting to protect all possible breach attack surfaces is challenging and expensive
- Traditional cyber security technologies (Anti-Virus/SIEM/EDR platforms) often fail to detect the types of tools and strategies hackers use in real-time
- The National Bank of Blacksburg needed a breach detection and response cyber security platform that could detect lateral spread and privileged user activity
- After the first breach, where lateral spread was essential for MoneyTaker’s success, the National Bank of Blacksburg should have installed a breach detection and response platform with lateral spread detection
- Cyber security insurance does not stop bank breaches; it’s important for organizations to be prudent and prepare for the worst, but it doesn’t make an organization any more secure and, as we saw here, may not actually cover the damages an organization faces
- Most purposeful and modern hacks take time and planning; the MoneyTaker group had to coordinate the withdrawal of millions of dollars at physical ATMs which implies they were inside the bank’s network for quite some time without being detected
The National Bank of Blacksburg is a textbook case for why Blackpoint Cyber built its SNAP-Defense platform. Spear-phishing happens - traditional security fails - hackers use ‘fileless’ malware, obtain privileged credentials, and laterally spread. Organizations can prevent and stop these types of attacks; they just need help understanding how hackers actually operate and then implement policies and technologies that are effective against such operations. With SNAP-Defense, the National Bank of Blacksburg would have immediately noticed MoneyTaker’s mis-use of privileged accounts, enumeration activities, reliance on Powershell and VBScript, and lateral spread between devices and networks.
Don’t rely on other cyber security solutions…they continue to fail at thwarting bank breaches like the one at National Bank of Blacksburg. Instead, buy an integrated cyber security solution that actually detects how hackers operate and provides a real-time response and also offers an automated compliance module. Don't be MoneyTaker's next victim - try SNAP-Defense in your organization free for 30-days!