It was like hitting the jackpot when these hackers, known as the Hidden Cobra, found a way to intervene ATMs into giving out millions of dollars in cash.
The US-CERT released a technical alert from the Department of Homeland Security, the FBI, and Treasury about a North Korean APT hacking group known as Hidden Cobra that was responsible for a new ATM hacking scheme.
Hidden Cobra also referred to as Lazarus Group and Guardians of Peace, seems to have the support of the North Korean government, such as previous attacks towards media, aerospace, as well as financial and infrastructure sectors worldwide.
Last year, the WannaCry ransomware scheme that shut down hospitals and large business around the world was caused by Hidden Cobra, along with the SWIFT Banking attack in 2016 and Sony Pictures hack in 2014.
This ATM scheme deemed as FAST Cash has been in action since 2016. FAST Cash is a cyber attack that Hidden Cobra developed to cash out ATMs by compromising the bank server.
FASTCash ATM Scheme
The security researchers investigated 10 malware samples connected to this cyber attack, and relaized that the attackers remotely compromise payment “switch application servers” with banks they targeted to facilitate fraudulent transactions.
Whenever you use your payment card in an ATM or a PoS machine in a retailer shop, the software asks (in ISO 8583 messages formats) the bank’s switch application server to validate the transaction—accept or decline- depending upon the available amount in your bank account.
Malware in the Switch Application Servers
The malware installed on the compromised switch application servers then intercepts transaction request associated with the attackers’ payment cards and responds with fake but legitimate-looking affirmative response without actually validating their available balance with the core banking systems, eventually tricking ATMs to spit out a significant amount of cash without even notifying the bank.
“According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars,” the reports says. “In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.”
Malware Contained Spear Phish Emails
How did the attackers compromise the banks’ switch application server? The U.S. authorities believe that Hidden Cobra used spear phish emails that contained malware, victimizing employees at different banks.
Once the malware in the email was activated by a download or a click, the malware stole banking credentials to move through the bank’s network and compromise the payment switch application server.
Original Article Found Here.