What if you had a code that tricked the ATM into thinking there were funds in an empty account? Would you only use it once or twice? Or would you go from city to city, making millions? This FASTCash scheme is one to pay close attention to!
The FASTCash attack is expected to part of the work of the Lazarus hacking group, associated with Pyongyang-based government of North Korea. Money mules along with hackers made tens of millions of dollars in their FASTCash ATM hack in Africa and Asia.
An unknown Trojan that is used in these attacks were found at compromised bank networks.
“To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions,” the security researchers stated.
“Once these servers are compromised, previously unknown malware – Trojan.Fastcash – is deployed,” they say. “This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.”
North Korea Hacks
The U.S. Computer Emergency Readiness Team issued an alert in October about “malicious cyber activity by the North Koran government” referred to as Hidden Cobra.
The attack campaign has been targeting institutions in Asia and Africa with malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”
The FASTCash attack has led to tens of millions of dollars in suspected losses.
“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise Hidden Cobra actors used spear-phishing emails in targeted attacks against bank employees,” US-CERT said in its alert. “Hidden Cobra actors likely used Windows-based malware to explore a bank’s network to identify the payment switch application server.”
In their investigations, security researchers from Symantec says that multiple of these unknown trojans were recovered, customized for a different transaction processing networks. Which one was tied to a legitimate primary account number (PANs) which can be found on bank and credit cards that identity card owner along with account number.
US-CERT said in its alert that after reviewing log files recovered from an institution that had been attacked by Hidden Cobra, “analysts believe that the [hackers’] scripts … inspected inbound financial request messages for specific [PANs]. The scripts generated fraudulent financial response messages only for the request messages that matched the expected PANs. Most accounts used to initiate the transactions had minimal account activity or zero balances.”
Hidden Cobra would insert malicious code and watched for references, to return fraudulent information about those accounts in response to queries. With these codes, accounts with zero balances would suddenly have funds to withdraw.
“How the attackers gain control of these accounts remains unclear,” Symantec says. “It is possible the attackers are opening the accounts themselves and making withdrawal requests with cards issued to those accounts. Another possibility is the attackers are using stolen cards to perform the attacks.”
Hackers Exploit Outdated AIX
What is now clear, however, is that the attacks have been executed by hackers exploiting outdated versions of IBM’s AIX – for Advanced Interactive eXecutive – implementation of the Unix operating system, Symantec says.
“In all reported FASTCash attacks to date, the attackers have compromised banking application servers running unsupported versions of the AIX operating system, beyond the end of their service pack support dates,” Symantec says.
One obvious defense is for banks to ensure that they are keeping all systems and software up to date.
“In order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious [AIX] executable into a running, legitimate process on the switch application server of a financial transaction network, in this case, a network handling ATM transactions,” Symantec says. “The malicious executable contains logic to construct fraudulent ISO 8583 messages,” which is the international standard for financial transaction messages.
“The purpose of this executable has not been previously documented,” Symantec says. “It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity.”
In other words, attackers do not appear to have been subverting legitimate bank software via scripts, as last month’s US-CERT alert suggested. Instead, the attackers have been deploying their own AIX malware, customized for the target environment.
“FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks,” Symantec says. “Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured.”
Original Article Found Here.