A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.

Cobalt hackers are behind synchronized ATM heists

Setup and execution of the attacks

The group sent out spear-phishing emails – purportedly sent by the European Central Bank, the ATM maker Wincor Nixdorf, or other banks – to the target banks’ employees. The emails delivered attachments containing an exploit for an MS Office vulnerability.

“If the vulnerability is successfully exploited, the malicious module will inject a payload named Beacon into memory. Beacon is a part of Cobalt Strike, which is a multifunctional framework designed to perform penetration testing. The tool enables perpetrators to deliver the payload to the attacked machine and control it,” the researchers explained in a recently released paper.

Additional methods and exploits were used to assure persistence in the targeted machines, to gain domain administrator privileges, and ultimately to obtain access to the domain controller. From that vantage point, they were able to obtain Windows credentials for all client sessions by using the open source Mimikatz tool.

The attackers would ultimately gain control over a number of computers inside the bank’s local network. Some of them are connected to the Internet, and others not, but the latter would receive instructions from the central Cobalt Strike console through the former.

“After the local network and domain are successfully compromised, the attackers can use legitimate channels to remotely access the bank, for example, by connecting to terminal servers or via VPN acting as an administrator or a standard user,” the researchers noted. The attacker have also installed a modified version of the TeamViewer remote access tool on the compromised devices, just in case.

Once constant access was assured, the criminals searched for workstations from which they could control ATMs. They would load the ATMs with software that allows them to control cash dispensers.

The final strikes happened in a few hours on the same day, when money mules would go to the targeted ATMs, send an SMS with the code identifying the ATM to a specific phone number, the criminals would make it spit out all the cash, and the mules would leave with it.

Some interesting things about the gang’s capabilities

The Cobalt gang uses a number of legitimate, open and closed source tools – Cobalt Strike (a tool for penetration testing), Mimikatz, SDelete (a free tool available on the Microsoft website that deletes files beyond recovery), and TeamViewer.

“Once an ATM is emptied, the operator launches the SDelete program, which removes les used with a special algorithm, which prevents information from being recovered. Thereafter, the ATM restarts,” the researchers explained. “In addition, operators disable the bank’s internal servers involved in the attack using the MBRkiller malware that removes MBR (master boot record). Such a careful approach significantly complicates further investigation.”

The ATM manipulation software also contains code that allows it to record a log containing information about the banknotes dispensed – the gang obviously does not trust the money mules to correctly report the amount that was stolen from each ATM.

Which banks were hit?

IB Group did not name them, but only noted that they are based in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, the UK and Malaysia.

According to Reuters, Diebold Nixdorf and NCR, the world’s two largest ATM makers, have provided banks with information on how to prevent or at least minimize the impact of these attacks.

It is unknown how much money the group was able to steal.

Help Net Security

Which country has the best hackers: Russia or China? Credit: Pixabay

For many years I worked for Foundstone teaching hacking classes and doing penetration testing. It was the most enjoyable job I ever had.

As part of that job, I traveled the world, including China, and got to determine firsthand which country had the best hackers. Although I didn't travel to Russia during that time, lots of Russian-born hackers showed up in my classes.

[ Watch out for 11 signs you've been hacked -- and learn how to fight back, in InfoWorld's PDF special report. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

Rumblings of cyberwar

Foreign hacking is top of mind right now, thanks to Russia's attempts to shake up the U.S. presidential election. With a high degree of confidence, U.S. intelligence agencies say the highest levels of Russia's government are behind the Democratic National Committee email leaks intended to embarrass Hillary Clinton. According to the reports I've read, most of these Russian hacks seems to be based on simple password phishing.

China has been involved in hacking American (and other) companies for decades. Most computer security experts believe that China already has every intellectual property secret it wants. I didn't believe the Chinese hacking rumors for years because accusers failed to provide public evidence. I've since changed my tune because many companies have released that evidence, and it appears quite convincing. Also, the Chinese government's tight control over its domestic internet makes it unlikely that Chinese hackers could have hacked U.S. targets without either direct orders -- or at least tacit acceptance.

Regardless, recent evidence suggests that Chinese hacking against American companies has decreased since President Obama and Chinese leaders signed an antihacking agreement last year. I've been involved in dealing with advanced persistent threat (APT) attacks for more than a decade, and I'm personally hearing less complaints about Chinese intrusions.

Which hackers cause the most damage?

If by "damage" you mean frequency and severity of attacks, Chinese hackers take the No. 1 spot. Very likely tens of thousands of them, funded by the government, have broken into any company they like. I'm convinced they've stolen more secrets and intellectual property than any other country, with a single breach potentially incurring many millions of dollars in damage. 

I've seen American companies work on a secret new product, only to have a Chinese company release a very similar, if not identical product first. Sometimes even the wording in the documentation is identical. I've seen entire American company divisions shut down as a result. 

Russia's hackers are more focused on direct financial crime and probably incur hundreds of millions of dollars in damage each year. Who knows -- it could be billions of dollars. But if I compare the direct financial costs of Russia versus China, China probably wins that battle due to its theft of high-value intellectual property.

What about Russia's impact on the American elections, especially if that hacking results in a presidency friendly to the Russian government? Luckily, despite Russia's best efforts, the American voting system is probably too much of a hodgepodge systems to be affected in a material way.

Best hacking skills

In my personal experience, the best hackers have always come from the United States or one of its friendly allies. I know that sounds biased, but when I taught hacking classes, the U.S. hackers always completed the hacking tests the fastest.

In the Foundstone classes we ran little tests during the day that allowed our students to practice some skill we had taught them. Most students, regardless of country, tended to perform roughly the same. At the end of the class, we had a major capture-the-flag test, which required that students put together everything we had taught them, but in slightly different ways. It required thinking outside the box. U.S. students were always able to complete the major test and were always fastest.

Unfortunately, my Foundstone experiences ended 10 years ago. Since then, several other countries have risen to become part of the elite club of hackers. Israel, for such a small country, has an enormous number of incredible hackers, and they enjoy a well-earned reputation as the best-thinking defenders.

Who's the best?

Sorry to disappoint you, but the real answer is that we don't know who's best. To be a "good" hacker you have to be invisible. The best hackers are the ones we don't see and don't know about.

But the real irony is that breaking into most organizations requires little in the way of advanced techniques anyway. Even the elite hacking units don't use their best stuff unless they have to. Why hack smart and give away your best stuff when you can hack like any script kiddie and get into the same results without being discovered?

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and
InfoWorld Security Adviser

The White House confirmed that the potential for election hacking led to using the special "red phone" to contact Russia eight days before the U.S. presidential election and issue a warning about influencing the process.

The original report said the White House used a secret "hotline"-style message on October 31st to clearly ask Russia to stop any cyberattacks that could undermine the election results. Anonymous White House officials told The Washington Post about the election hacking warning and said the Russian government response was "noncommittal." Even so, the officials said they hadn't seen an escalation in cyberattacks from Russia leading up to the election.

In a statement to The New York Times¸ the White House confirmed it had "contacted the Russian government directly regarding malicious cyberactivity" that was "targeting U.S. state election-related systems" using the Washington-Moscow Direct Communications Link connecting the Nuclear Risk Reduction Centers in both countries.

Cyberattacks attributed to Russia have been so plentiful this year that the White House previously admitted to considering "proportional response" to election hacking by the Russian government following attacks on voter registration systems and the Democratic National Committee. These attacks, as well as the breach of Clinton campaign chairman John Podesta's email account, were attributed to Russian hacker groups allegedly under orders by the Russian government.

Konstantinos Karagiannis, CTO of security consulting at BT America, said via Twitter that the leaks from these attacks likely prompted the warning.

Privacy Professor CEO Rebecca Herold said the leaks imply Russia's intent was likely to influence the election rather than perform direct election hacking. But, she said the White House's warning may been aimed at stopping more leaks in the lead-up to the election.

"It is likely Russia had just as much information, emails, and databases from the Republicans as they did for the Democrats (reports indicated the GOP systems were just as weak and vulnerable as the DNC's were), but chose to only release select information about the DNC, Clinton, and others, and possibly use it in other ways as well, to influence voters," Herold told SearchSecurity via email.

FBI Director James Comey said in September that state voter registration systems had been targeted by malicious actors and the Department of Homeland Security offered to help states to make sure systems were protected against potential election hacking. However, Comey also assured the public that the presidential election itself would be "very, very hard for someone to hack into because it's so clunky and dispersed."

Herold agreed that hacking of any election system was unlikely but Russia's attacks on voter registration databases would have provided "such things as voting histories, political group memberships, cause group memberships, addresses, polling and survey results, etc."

"It is feasible for such data to be run through big data analytics to determine the topics for which the voting population groups would have the most concerns, and thus the topics and/or specific types of hacked information that could be publicized with regard to each of the candidates to potentially help sway the voters to switch votes to the other candidate, or to even kill their motivation to even vote at all," Herold said. "If Russia had such data, and wanted to use it to try and make one candidate look bad, the other good, etc., that is how they would be viewed as influencing, or 'hacking' the election."

Next Steps

Learn how predictive modeling and forecasting failed to pick the election winner.

Find out why experts feared voting machine hacks during the general election.

Get info on the president-elect being silent on cybersecurity.



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.

The magazine first thought that the sheer volume of interest in its scoop was the cause for the outage, but quickly realized that something more sinister was afoot.

The site was being bombarded by junk traffic from servers all around the world, but the majority came from Russia, the editor in chief Jim Impoco has now said.

"Last night we were on the receiving end of what our IT chief called a 'massive' DoS [denial of service] attack," he told Talking Points Memo.

"As with any DDoS [distributed DoS] attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything. We are still investigating."

The story, written by staffer Kurt Eichenwald, detailed how former employees of Trump Hotels had arranged a visit to Cuba in 1998 to explore the possibility of joint ventures with the communist regime. A consultancy company called Seven Arrows made the visit, and the funds to pay for the trip were then allegedly hidden as a charitable expense.

Shortly after the story was published, traffic on the site started to rise – as you'd expect in a presidential season with serious allegations being made. But the traffic count continued to rise and eventually brought the site down.

As with any DDoS attack, finding the culprit is nearly impossible. But it appears that the article has pissed off a lot of people who control many Russian servers. ®

Sponsored: Flash storage buyer's guide

The Register - Security

Yahoo's claim that it is the victim of a gigantic state-sponsored hack raises the question of whether it is the latest target for hackers with the backing of Russia, China or even North Korea, experts say.

The US internet giant was under pressure Friday to explain how it sustained such a massive breach in 2014, which possibly affected 500 million accounts.

Yahoo said the stolen information may have included email addresses and scrambled passwords, along with both encrypted or unencrypted security questions and answers that could help gain access to victims' other online accounts.

Sometimes the link between the target of a hack and a particular state may suggest itself easily.

One of the highest-profile hacks came when North Korea is thought to have targeted entertainment titan Sony in 2014, apparently in revenge for producing the comedy film "The Interview" about a CIA plot to assassinate leader Kim Jong-Un.

More recently, a mysterious group calling itself Fancy Bears hacked the medical records of athletes held by the World Anti-Doping Agency (WADA). It is still dripping the information out.

Commercial motives

Many experts believe that cyberattack was carried out by Russia after its track and field athletes were banned from the Olympics and its entire Paralympics team turfed out of their Games over evidence of state-sponsored doping.

While motivation for those cyberattacks seems clear, it might initially appear less obvious why countries such as Russia, North Korea or even China would target a company like Yahoo.

Chinese hackers have been accused of plundering industrial and corporate secrets and of orchestrating a breach of US government files on its employees that affected more than 21 million people and reportedly led to the hasty withdrawal of US intelligence operatives from China to protect their lives.

But political motives can be as strong as commercial ones, analysts note.

"Would, for example, Russian intelligence wish to conduct a large-scale hack on a major internet company like Yahoo? Absolutely they would," Shashank Joshi, senior research fellow at the London-based Royal United Services Institute, told AFP.

"It is an incredibly valuable commodity. The ability to access email addresses for US persons, perhaps a Russian dissident -- any intelligence agency worth its salt would want that sort of data, although it is very hard to use because of the encrypted passwords," he said.

Julien Nocetti, of the French Institute of International Relations (IFRI), said the hack was too big for an independent group to carry out.

"Given the scale of the revelations about Yahoo, it indicates that a lot of resources, technical equipment and coordination were required -- this definitely comes from a state," he said.

Given the tensions between Russia and the United States over the Syrian war "you could put forward the theory that this could be a Russian attempt to test the Americans' cyber defences", he said.

- Finding the source -

Yahoo has so far given no evidence to support its claim that it has been targeted by a state. RUSI's Joshi said finding the source "is the most fundamental problem when it comes to cyber-attacks".

"This completely bedevils even the most well-resourced people," he said.

However, he believes Yahoo would only have pointed the finger at state involvement if it had some evidence.

"The way you identify responsibility for a hack is to look for signatures that correspond to earlier known facts and then see what you know about them," he said.

For example, in case of the hacking of Democratic National Committee (DNC) emails this year which exposed bias within the party in favour of Hillary Clinton, cyber-security experts found evidence of a so-called Advanced Persistent Threat (APT).

"That is a code word for state hackers who were clearly operating in a system and matched up with earlier such hacks" carried out by Russia's state and military intelligence agencies, Joshi said.

But in Russia, so often accused of state-sponsored hacking, one expert said it was naive to immediately blame a state and scoffed at the suggestion the hackers were sophisticated spies.

"Anyone could have hacked a database of users like Yahoo because it's a classic commercial server," said Oleg Demidov, a consultant at the Moscow-based independent think-tank PIR Center.

"At the moment, this looks like a traditional hack aimed at making money or carving out a reputation by selling a load of personal data," he added.

view counter

© AFP 2016


SecurityWeek RSS Feed

NSA whistleblower Edward Snowden reckons Russia is the most likely suspect behind the leak of advanced hacking tools allegedly stolen from an elite NSA hacking unit. He postulates a complex motive for the leak involving gaining diplomatic leverage that wouldn’t look out of place in a modern retelling of a John le Carré novel.

A previously unknown group of hackers calling itself Shadow Brokers last week offered samples of data it claims to have stolen from the Equation Group, an elite cyber attack unit linked to the National Security Agency (NSA). Shadow Brokers said that the data dump was a sample of what had been stolen from hacking Equation and said that the “best” files would be auctioned off to the highest bidder.

In a series of tweets, Snowden expanded on a theory that Russia was behind the hack and subsequent leak, positioning it as a bold diplomatic gambit designed partly at deflecting sanctions over Russia’s alleged involvement in a recent hack against the US Democratic Party. He stated that it’s common practice for intel agencies to hack each other’s malware delivery infrastructure.

“NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is,” Snowden said. "Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack."

“Circumstantial evidence and conventional wisdom indicates Russian responsibility,” according to Snowden.

Snowden - who’s resident in Russia and appears to have put attempts to seek asylum elsewhere on indefinite hold - speculates that the hacking group behind the leak might be serving a “warning that someone can prove US responsibility for any attacks that originated from this malware server”.

“This may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks,” he added.

He concluded: "This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast."

An analysis by Symantec of the leaked files concludes that they appear to be installation scripts, configuration files, and exploits targeting a range of routers and firewall appliances. Most of the files appear to be several years old, dating back to between 2010 and 2013. Confidence in the authenticity of what’s been leaked so far has been bolstered by a decision by networking firms Cisco and Fortinet to release patches in response to Shadow Brokers’ leak.

A similar analysis by Kaspersky Lab led analysts to conclude "with a high degree of confidence that the tools from the Shadow Brokers leak are related to the malware from the Equation Group". ®

Sponsored: Accelerated Computing and the Democratization of Supercomputing

The Register - Security