ATM / POS Fraud , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks
Lazarus 'FASTCash' Bank Hackers Wield AIX TrojanHackers Exploit Outdated Unix to Deploy Cash-Out Malware, Symantec Reports
Security researchers say they've identified a crucial piece of the ATM cash-out attack puzzle connected with the so-called FASTCash attacks perpetrated by North Korean hackers.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
The U.S. government says the FASTCash attacks are the work of the Lazarus hacking group, tied to the Pyongyang-based government of North Korea. Authorities say that since 2016, the attacks have enabled hackers - and their money mules - to drain tens of millions of dollars in cash from ATMs in Africa and Asia.
Now, security researchers at Symantec say they've recovered a never-before-seen Trojan used in the attacks, which Lazarus operators drop onto compromised bank networks.
"To make the fraudulent withdrawals, Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions," the Symantec researchers say in a Thursday blog post.
"Once these servers are compromised, previously unknown malware - Trojan.Fastcash - is deployed," they say. "This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs."
In October, the U.S. Computer Emergency Readiness Team issued an alert about "malicious cyber activity by the North Korean government" - which it refers to as Hidden Cobra - perpetrating an ATM cash-out scheme, which the U.S. government refers to as "FASTCash."
US-CERT's alert - jointly issued with the Department of Homeland Security, Treasury Department and FBI - notes that since 2016, the attack campaign has been targeting institutions in Asia and Africa with malware designed to "remotely compromise payment switch application servers within banks to facilitate fraudulent transactions."
Authorities say the attacks have led to tens of millions of dollars in suspected losses. One 2017 attack alone resulted in attackers simultaneously hitting ATMs in more than 30 countries, while a 2018 attack hit ATMs in 23 countries, the alert said.
"The initial infection vector used to compromise victim networks is unknown; however, analysts surmise Hidden Cobra actors used spear-phishing emails in targeted attacks against bank employees," US-CERT said in its alert. "Hidden Cobra actors likely used Windows-based malware to explore a bank's network to identify the payment switch application server."
ATM Cash-Out Attacks
Symantec says that it's recovered multiple versions of the Fastcash Trojan, each of which appears to have been customized for different transaction processing networks. The samples also tie to legitimate primary account numbers, or PANs - the 14 or 16-digit numerical strings found on bank and credit cards that identify a card issuer and account number.
US-CERT said in its alert that after reviewing log files recovered from an institution that had been attacked by Hidden Cobra, "analysts believe that the [hackers'] scripts ... inspected inbound financial request messages for specific [PANs]. The scripts generated fraudulent financial response messages only for the request messages that matched the expected PANs. Most accounts used to initiate the transactions had minimal account activity or zero balances."
In other words, malicious code inserted by Hidden Cobra attackers watched for references tied to attacker-controlled accounts, then returned fraudulent information about those accounts in response to queries. For example, the code could pretend that accounts with a zero balance instead had funds available for withdrawal.
"How the attackers gain control of these accounts remains unclear," Symantec says. "It is possible the attackers are opening the accounts themselves and making withdrawal requests with cards issued to those accounts. Another possibility is the attackers are using stolen cards to perform the attacks."
Hackers Exploit Outdated AIX
What is now clear, however, is that the attacks have been executed by hackers exploiting outdated versions of IBM's AIX - for Advanced Interactive eXecutive - implementation of the Unix operating system, Symantec says.
"In all reported FASTCash attacks to date, the attackers have compromised banking application servers running unsupported versions of the AIX operating system, beyond the end of their service pack support dates," Symantec says.
One obvious defense is for banks to ensure that they are keeping all systems and software up to date.
"In order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious [AIX] executable into a running, legitimate process on the switch application server of a financial transaction network, in this case a network handling ATM transactions," Symantec says. "The malicious executable contains logic to construct fraudulent ISO 8583 messages," which is the international standard for financial transaction messaging.
"The purpose of this executable has not been previously documented," Symantec says. "It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity."
How Fastcash Trojan Facilitates ATM Cash-Out Attacks
In other words, attackers do not appear to have been subverting legitimate bank software via scripts, as last month's US-CERT alert suggested. Instead, the attackers have been deploying their own AIX malware, customized for the target environment.
"FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks," Symantec says. "Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured."
North Korea Hacks
Security experts say the government of North Korea continues to invest in hacking to help it raise funds to offset crippling international sanctions imposed over its weapons development and testing programs (see: Report: North Korea Seeks Bitcoins to Bypass Sanctions).
"Lazarus continues to pose a serious threat to the financial sector."
Lazarus has been previously tied to a number of cybercrime and cyber espionage attacks, including the wiper malware attack against Sony Pictures Entertainment in 2014; the attempted theft of nearly $1 billion from the central bank of Bangladesh's New York Federal Reserve account, leading to $81 million being stolen; the WannaCry ransomware outbreak in May 2017, as well as the use of cryptocurrency mining malware named Adylkuzz to attack the same flaw in Windows server block messaging that WannaCry also targeted.
Lazarus has also continued to steal cryptocurrency via phishing attacks as well as directly hacking cryptocurrency exchanges, according to Moscow-based security firm Group-IB.
But Lazarus is just one of what appear to be a number of different North Korea-sponsored hacking groups, all of which share malware development resources (see: Cybercrime Groups and Nation-State Attackers Blur Together).
Last month, cybersecurity firm FireEye said that it had tracked a number of attacks perpetrated by APT38, a North Korean hacking group separate to Lazarus (see: North Korean Hackers Tied to $100 Million in SWIFT Fraud).
"Since at least 2014, APT38 has conducted operations in more than 16 organizations in at least 11 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources," FireEye researchers said.