Cybercrime , Finance & Banking , Fraud Management & Cybercrime

Eastern European Bank Hackers Wield Malicious Hardware

'DarkVishnya' Heists Stole Tens of Millions of Dollars, Kaspersky Lab Says
Eastern European Bank Hackers Wield Malicious Hardware
Bash Bunny - a $100 "USB attack and automation platform" - is one piece of a kit being wielded by hackers who have used malicious hardware to steal from Eastern European banks, Kaspersky Lab warns.

Eastern European hackers have been plugging inexpensive hardware into banks' local area networks to help perpetrate heists that have stolen tens of millions of dollars.

See Also: Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

The attack campaign, dubbed DarkVishnya - dark cherry - has targeted at least eight Eastern European banks, says Sergey Golovanov, a principal security researcher at Moscow-based endpoint security firm Kaspersky Lab, which was called in to investigate the thefts.

"Each attack had a common springboard: an unknown device directly connected to the company's local network," he says in a blog post. "In some cases, it was the central office, in others a regional office, sometimes located in another country."

Catch Me If You Can

Golovanov says that the attack campaign began in 2017 and has continued throughout this year. In all of the attacks, he says the attackers have made use of one of these types of computing devices:

  • Inexpensive portables: Low-cost laptops and netbooks;
  • Raspberry Pi: A credit-card-sized computer that costs $35 and up;
  • Bash Bunny: A $100 USB stick designed for penetration testers and systems administrators that manufacturer Hak5 bills as being "a simple and powerful multifunction USB attack and automation platform"

Golovanov says the choice of device appeared to be tied to an attacker's ability and, no doubt, simply preferences. Once connected to a targeted LAN, attackers gained remote access by using a built-in or USB-connected LTE, GPRS or 3G modem.

Kaspersky Lab warns that "high-tech tables with sockets are great for planting hidden devices."

Three Attack Stages

Successful attacks progressed through three stages, Kaspersky Lab reports:

  1. Physical access: Attackers, potentially posing as couriers or job seekers, entered a facility and looked for a place to connect their device, often in a meeting room. "Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion," Golovanov says.
  2. Remote reconnaissance: With the device in place, attackers would remotely connect to the hidden device and begin conducting reconnaissance, as well as brute-force sniffing for login data, to attempt to identify any workstations or servers involved in handling payments. To bypass internal firewall restrictions, "they planted shellcodes with local TCP servers," Golovanov says. "If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels."
  3. Remote login: Once attackers identified a system used to make payments, they worked to gain persistent remote access to the system and then remotely ran executable files.

Golovanov says the attackers' MO was to remotely install msfvenom, which is a stand-alone payload generator for Metasploit, an open source penetration testing toolkit.

Configuration settings for msfvenom (Source: Offensive Security)

"Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies," Golovanov says (see: Locking Down PowerShell to Foil Attackers: 3 Essentials).

"If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe, to run executable files remotely," he adds. All of those tools can provide administrators - or in this case, attackers - with the ability to remotely install and execute files.

Malicious Hardware Evolves

Plugging low-cost devices into target networks to steal cash isn't new, conceptually speaking.

One tried-and-true attack against retail establishments, restaurants and hotels that use point-of-sale devices to read customers' payment cards involves a two-man crew entering a building. One attacker distracts an employee while the other swaps a legitimate payment card reader with a look-alike version that has a skimmer installed. The skimmer then begins keeping a copy of all cards that get swiped, for later retrieval, potentially remotely, by attackers.

Security researchers have also been demonstrating how hobbyist hardware might be put to use by crime gangs. At the 2014 Black Hat Europe conference in Amsterdam, for example, two security researchers showed how they were able to program a Raspberry Pi and connect it to the port of an ATM to bypass the ATM's own systems and instruct the machine's cash dispenser to spit out all of its money (see: Hacking ATMs: No Malware Required).

The DarkVishnya campaign shows that as small, powerful and relatively inexpensive computing devices proliferate, and cost little enough that they can be treated as disposable, hackers will find innovate new ways to use them.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.