From phish to network compromise in two hours: How Carbanak operates

The past few years have seen an increase in the number of attacks against financial organizations by sophisticated cybercriminal groups that use manual hacking and stealthy techniques to remain hidden. Now, researchers from Bitdefender have released a report on an intrusion they investigated at an unnamed bank that documents in detail how these attackers operate and shows how fast they can gain control over a network.

The breach was perpetrated by Carbanak, an umbrella group for several cybercriminal gangs that have stolen hundreds of millions of dollars from banks and other organizations worldwide. Carbanak’s divisions are known by various names including CobaltGoblin, EmpireMonkey and FIN7, a group that specializes in targeting point-of-sale (PoS) systems in the retail and hospitality sectors.

The suspected leader of Carbanak was arrested in March 2018 in Spain, but Carbanak’s activities continued. Between March and May 2018, Bitdefender detected several phishing campaigns attributed to Carbanak. Those attacks impersonated IBM; Spamhaus, an anti-spam organization; VeriFon, a PoS terminal manufacturer; the international SWIFT payment system; a Swedish company; a security vendor; and the European Central Bank.

One of those campaigns distributed malicious documents that contained exploits for three known remote code execution vulnerabilities in Microsoft Office. Their goal was to deploy an implant from the Cobalt Strike penetration testing framework and download additional payloads and tools.

Two hours to network access

According to Bitdefender’s forensics investigation, two employees of the compromised bank opened malicious documents from the Carbanak campaign on the same day. Two hours later attackers had already managed to obtain administrative credentials for the domain controller, giving them unrestricted access to multiple systems from the bank’s network.

Bitdefender did not document how the administrative credentials were captured, but investigations on Carbanak attacks done in the past by other security companies revealed that one technique is by installing keyloggers and then sending emails from the compromised employee’s account to the IT administrator claiming their computer is slow. The attackers then wait for the administrator to remotely log in to troubleshoot the issue and capture their credentials.

Other techniques involve stealing locally stored plain text or hashed credentials with tools like Mimikatz, brute-forcing administrative credentials if they are not strong enough or using credentials obtained in advance using other methods.

63 days undetected

Another interesting aspect of this attack is that despite compromising the domain controller very quickly, the attackers remained in the network undetected, identifying and compromising other systems, for the next 63 days. During that time, they mapped the network, learned the bank’s internal procedures, and established a VPN connection back to an external command-and-control server. Most of their lateral movement activity was done outside of regular working hours in order to lower the chances of being detected.

The attackers spent the first 30 days compromising systems and identifying valuable information they could steal including manuals, guides and training materials for different internal applications used by the bank. Then over another 17 days those documents were carefully gathered on a network endpoint chosen by the attackers, where they were archived and organized into different folders in order to be exfiltrated.

“This information was relevant in planning the attack on the bank and, potentially, other banks that share similar systems,” the Bitdefender researchers said in their report. “The cybercriminal group could be actively improving its understanding of internal banking systems by collecting and studying this type of information, in an attempt to make their attacks more efficient and stealthier.”

Carbanak targets financial organizations from different regions of the world and while some banking procedures are standardized, many banks use custom applications internally and have different workflows. In the past, Carbanak attackers even installed screen recording software on compromised workstations to learn how bank employees are using these applications.

The Bitdefender researchers believe that the goal of the attackers was to eventually gain access to the bank’s ATM network and withdraw cash fraudulently with the help of money mules. Carbanak has carried out such attacks successfully in the past, so stealing money from ATMs is a part of their modus operandi.

Even though in this case that goal was not achieved, the attackers did manage to gain access over large parts of the bank’s IT network and their lateral movement activities shows they are skilled at evading detection and know exactly what type of information they’re looking for.

What should defenders do? 

“What really matters is that organizations focus more on reducing the time-to-detect a potential data breach, instead of preventing these attacks from occurring,” Liviu Arsene, a senior e-threat analyst at Bitdefender tells CSO. “It’s vital that attackers are stopped during the reconnaissance phase, before executing their final heist.” 

Organizations should review how administrative credentials are being used across their networks and should restrict administrative access to devices. There should be clear policies in place on when and on what type of devices administrators should be allowed to use their credentials. Microsoft provides some guidance on enforcing such restrictions on its Core Infrastructure and Security blog.

Also, the fact that most of the hacking activities were performed outside of regular working hours could provide defenders with detection opportunities. In this case, the attackers accessed internal workstations using RDP and valid administrative credentials, just like real administrators would. This would be hard to distinguish from legitimate activity during the day, but organizations could deploy solutions to flag such activities as suspicious if done after working hours.

“Setting in place security controls that restrict admin-level remote access to critical infrastructure and deploying network and endpoint detection and response tools that spot anomalous behavior can help raise the necessary security alarms that could reveal a potential breach,” Arsene says.

Finally, since the attack vector in most of these breaches is a malicious document delivered via spear-phishing, organizations should deploy a security solution that automatically opens and analyzes email attachments in controlled environments like sandboxes in order to detect potentially malicious behavior. And employees should regularly be trained on detecting phishing emails.