Cyber security and fileless attacks

May 25th, 2017, Published in Articles: EE Publishers, Articles: EngineerIT

 

Recently bank employees discovered an empty ATM: there was no money. The ATM had not been used and there was no sign of malware. After experts spent time unraveling this mysterious case, they were able to not only understand the cybercriminal tools used in the robbery but also reproduce the attack themselves, discovering a security breach at the bank.

In February 2017 Kaspersky Lab published the results of an investigation into mysterious fileless attacks against banks: criminals were using in-memory malware to infect banking networks. But why were they doing this?

The criminals hit more than 140 enterprise networks in a range of business sectors. In total, infections have been registered in 40 countries, including in Morocco, Egypt, Kenya, Uganda, Congo, and Tanzania. It appears, thankfully, that this one bypassed South Africa.

Amin Hasbini, senior security researcher, Kaspersky Lab

Up to now ATM cases were reported in just two countries, but the attackers might still be active. According to Amin Hasbini, senior security researcher at Kaspersky Lab, organisations are advised to check their systems, keeping in mind that detection of such an attack is possible only in RAM, the network and registry – and that, in such instances, the use of Yara rules based on a scan of malicious files are of no use. To prevent such attacks comprehensive security software is advisable.

This malware is remotely installed and executed on an ATM from within the target bank: through the remote administration of ATM machines. After it’s installed and connected to the ATM, the ATMitch malware communicates with the ATM as if it is legitimate software. It makes it possible for attackers to conduct a list of commands – such as collecting information about the number of banknotes in the ATM’s cassettes. What’s more; it provides criminals with the ability to dispense money at any time, at the touch of a button.

Usually, criminals start by getting information on the amount of money a dispenser has. After that, a criminal can send a command to dispense any number of banknotes from any cassette. After withdrawing money in this curious way, criminals only need to grab the money and go. An ATM robbery like this takes just seconds.

The investigation started after the bank’s forensic specialists recovered and shared two files containing malware logs from the ATM’s hard drive (kl.txt and logfile.txt) with Kaspersky Lab. These were the only files left after the attack: it was not possible to recover the malicious executables because after the robbery cyber criminals had wiped the malware. But even this tiny amount of data can be enough to run a successful investigation.

During incident response, security specialists need to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2.

After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. This is why it is essential to have memory forensics in the analysis of malware and its functions. Another important area of an attack are the tunnels to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu 2.0 used a special driver for that.

Hasbini said that combatting these kinds of attacks requires a specific set of skills from the security specialist guarding the targeted organisation. The successful breach and exfiltration of data from a network can only be conducted with common and legitimate tools; after the attack, criminals may wipe all the data that could lead to their detection leaving no traces, nothing – another reason that memory forensics is a critical area for the analysis of malware and its functions. Hasbini commented that as the company’s experience proved, a carefully directed incident response can help solve even the perfectly prepared cybercrime.

Send your comments to engineerit@ee.co.za

Related Articles

  • Picture Gallery 1: Nedbank/ EE Publishers seminar on Gas sector in SA
  • Picture Gallery 2: Nedbank/ EE Publishers seminar on Gas sector in SA
  • Energy limitation for peace of mind: Safe devices for Zone 0
  • ITU Telecom World 2019 highlights tech innovations improving lives
  • Spectrum sharing opportunities for 5G and beyond