How the Carbanak gang hacked banks.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] my name is Joanne from the Ville and I work as a security researcher for Kaspersky Lab on this slide you will see some of my colleagues but in the middle there is one big guy and that guy is Eugene Kaspersky and he is important not just because he is the CEO but also because he will come back later in the story so we are a team of about 40-plus people all over the world investigating the latest cyber threats and one of the threads we investigated was carbon are death threats started with a phone call so we were called or actually emailed from somebody we knew it was working in Ukraine for a big bank and need all those guys we have a problem can you please come to see what's going on now we said oh man going all the way to Kiev it's it's far it's not so easy Kanzi just say what's going on he said no no no you guys have to come trust me you have to come so you're like okay oh we will go so we went there and a to Kiev and he took us to a room and the room was the video room of all the CCTV equipment and there he showed us a movie and in that movie you see the bottom right of the screen that is 3 o'clock in the night and the guy comes walking it's a big jacket and a hoodie so he puts over to hoodie over his head he wraps the scarf around his neck so you do not see his face and he opens up his jackets he gets a card out and with death card he swipes we can actually enter the bank and as soon as he enters the bank all the ATMs start to blink and they start to dispatch cash so he opens up is big black sports bag puts money in there and continues until the ATM is empty then you go to the next one and the next and the next one and about 1 million dollars later he walks out of the bank without even touching the ATM he was able to steal quite some money and we thought that this was another version of token and took in is a type of malware that you can install an ATM you can go on ebay you can buy a key usually those ATMs have standard keys you can open up to ATM you can insert the USB or a cd-rom drive if you reboot the ATM and a dead point the ATM is infected with to begin and to clean also works between 12 o'clock and 3 o'clock in the night you go there you enter a secret code then you will see a challenge you text the challenge to your boss he will give you the response you enter the response on the PIN pad and then you're basically in god mode you can choose from which cassettes you want the money so as you can see this this type of text they were looking quite similar so we asked for all the hard drives of the ATMs and we investigated them and investigated them and more investigation but we couldn't find anything except a weird CPM configuration so we thought well ok whatever we don't know like this happens but then a few months later again 3 o'clock in the night we get a phone call from one of our colleagues saying yeah you know you really have to call this number oh wait wait who is this who do have to call no no no I just call it it's really important so ok no we will call the number so we dialed and on the other end of the phone was the most stressed out guy we ever talked to and these are just that get your ass over here ok but I'm in the bed it's you o'clock in the night where is here yeah come to this in this Bank now so ok we put our clothes on we go to the bank and we ask what's the problem and he said our domain controller is sending data to China and the domain controller is the most important server in your network and if if that server is sending data to China yeah there might be something malicious going on so we were put behind the terminal and we decided to investigate starting a process Explorer and we found a malicious process running so we were looking at the process and we saw that VNC the DLL was injected into that process now remember what is the situation it was about 4 o'clock in the night in a day in one of the biggest banks in Russia the bank has been hacked and you see that cnc is installed on the computer you are investigating could it be that those guys are watching what we were doing we wanted to find out so we opened up words and we decided to write something so we wrote hello and we waited and we waited and then suddenly hello so indeed they were watching what we were doing and you know how these conversations go we look at you know you won't catch us you won't catch us now we will get you and poof they were gone but the bank they were still affected in the middle of the night so what do you do then now you can do two things you can create some signatures for your antivirus product and push them out so that the malware will be found and removed but not all the computers @nd virus installed so we just created a very simple bed script that removed the mower from all the computers and that was ran a couple of times until we knew for sure that the bank was clean so the bank was safe but the world wasn't so we decided to investigate and investigate and we found out that this attack was actually called carbon arc and that there were many other banks being affected with carbon arc now remember you gain from the beginning of the story we went to a conference the Interpol conference in Singapore I think and there he was talking with somebody from uribl and you know CEOs they like to tell what they are doing and Eugene told the story and the guy from Beautiful's had wait this is so important you should come through Europol to our headquarters in the hague and present about this so that the banks can protect themselves okay well we can do that so we flew in some people today and one of my colleagues was presenting there in a room the room was fully packed with many important people from many big banks in Europe and I call McHugh started to give the presentation and you know he's the type of guy that gets really improved sziasztok when it gets technically more advanced and you saw that the more if you see a stick he got the more nervous the people in the room became well we ended our report to those banks so they could protect themselves and that was it well of course not entirely because we also have to investigate the mall where and how does it work because how does carbon arc actually work well carbon arc gets installed on a computer by sending a Word document to for example let's say the event manager in the bank now the word document contains an exploit and as soon as the event manager in the bank opens up the word document because the description in the email is we're organizing a very important event could you please stop by and have a booth you could gain so many potential clients for description please see the attached documents so of course the event manager opens up the word document and poof the malware is downloaded and installed on the computer in the bank and the attackers have their first point of entry within the bank but of course first computer is not so useful so you elevate your privileges anyone to get the password of the administrator how can you do that very simple you write an email to IT and you say that this computer is so so slow good IT please come by to check what's going on so I think comes by they log in with their administrative space and boof because they install the keylogger they have the password of the administrator and that password can also be used on the domain controller and when they are on the domain controller they can do whatever they want they can go to all kinds of pcs and the interesting thing about carbonate was that there was not one way to get money out of the bank but there were several ways so one way was and I told in the beginning to control the ATMs remotely another way was to enter data directly into the Swift system so there were money transfers going out to other countries another way is to manually increase the balance of some money mules so for example they have $1,000 you make it ten thousand dollars money meals go to the ATM they take nine thousand dollars and their original amount remains the same and the last way that was actually kind of funny is they found the backend system to create accounts and they created accounts for money mules and they gave every money mule say 35 rubles or 35 global cent I don't know look like a very low amount and then when all the money mules were there they decided to manually adjust the balance of the money mules so what did they do their query was something like update balance to ten million where balance is 35 so suddenly people where thirty five rubles had ten million rubles now that is interesting but not only the money meals because some innocent people would happen to have thirty five rules on their account suddenly had millions of rubles on their account of course the money meals came and they took all the money from the ATM and these are the four ways that the carbonyl gang stole money from banks so one of the questions we often get is well what do you actually do against this attack well we decided to team up with the Dutch police because one of the things about Holland and it's famous for my before it's beer annika flowers I guess also for the wheat for many foreigners we also have a very very good in IT infrastructure which means there are lots a lot a lot of hosting companies in the Netherlands and those hosting companies might host a carbonyl commander control server but how do we find this carbonyl kimono control servers now there are two ways you can find a malware sample and you can see where the malware is connecting to then you have a command the control server or you can do something else well we got an image of one server and we decided to analyze the code and we saw that they made a very small implementation mistake in their code which means if we send a very specific request to a server on the internet we will get a very specific reply so that way we identify a carbonyl commander control server so if we find a mower sample connecting to a kimono control server and we send that message and we get that reply boom we're done we can also take it one step further what about if we scan the Internet in two days and do that request on mobile servers all over the internet and analyze those replies then we can find the latest carbon arc command and control server I remember the story that I was telling in the beginning that one of my that's one of my colleagues was presenting in Europe oh well there was one bank that got really really nervous because they fought they had in hits and on that day our internet scan finished and we found out that it was actually a carbonyl command and control server located in the Netherlands so we called the police and we asked them could you please seize the server because we're working with you in this investigation and the police about we will call you back and they did they called back about half an hour later and they said okay two things one we will see the server and two if you do an internet scan that takes two days started on Friday so we have the results on Monday and we don't need to work on Friday afternoon because on Friday afternoon nobody is in the office anyway the police seized the server and what we found out there is that the governor was much bigger than we initially thought because it was targeting the Ukraine and Russia but on that server we also saw that they were targeting Asia I think even Bangladesh and some other countries so there was much more to carving up then again then we originally fought well with this story we came out a while ago during the security analyst summit and at that point carbon arc was not so active anymore but we saw that all the command control servers that were active they stopped and for a while carbon are disappeared but they are back and they came back and we think that they are still running so the battle is not over we hope that one day together with the police those guys will be arrested and the rubbing of banks will stop and one of the questions I also always get is what can banks do against this attack that's very simple if the banks would have updated their Microsoft Word software or their office they would not have been hacked because it used the well-known vulnerability the second thing is trained in awareness I know it's very difficult I was talking to another bank they said yeah we spend all this money on an awareness training one month later we send the phishing email and still 85 percent of the people click on the phishing email so it's not always so effective but then again 15 percent didn't click another thing you can do is turn on behavioral detection because it will find this attack because it does all these malicious things like process injection etc etc so if you have a behavioral component in your antivirus turn it on and if you follow these three steps and the chance that you will become a victim of carbon arc as a bank is much much smaller so as you can see the banks could have done some very simple things to prevent this attack now if you don't want to become a victim of carbon arc or in general if you don't want to become a victim of cybercrime do exactly the same thing don't click on any suspicious emails always update your software and if you have only be installed make sure the behavioral detection is turned on and we do that the chance that you will become a victim is much much smaller [Music]

Info

Channel: SQUALIO

Views: 29,873

Rating: 4.8198876 out of 5

Keywords:

Id: l61kYp_HDnA

Channel Id: undefined

Length: 16min 0sec (960 seconds)

Published: Wed May 24 2017