Crooks using compromised banks as a stepping stone to hack other financial institutions

Hack, loot, pivot, and pwn

Cybercrooks are starting to use the compromised infrastructure of some eastern European banks as a springboard to launch cyber-attacks against other financial institutions, according to a new study by Moscow-based computer security consultancy Group-IB.

In one real-world example from autumn last year, cybercrime group Cobalt allegedly sent out phishing emails targeting Russian banks, successfully infecting a number of banks in the process.

Cybercriminals then used the infrastructure of one of the affected banks to carry out another phishing campaign, which was sent out to the list of contacts they obtained through the hack.

Sending out phishing emails using a legitimate bank’s infrastructure increases the likelihood of targets in other financial institutions opening a malicious attachment.

This tactic worked like a charm, Valery Baulin, head of the digital forensics lab at Group-IB, told The Daily Swig.

“Another bank in Kazakhstan was infected after cybercriminals’ second phishing campaign,” he explained. “The attack did not end there: hackers repeated the scheme using the infrastructure of the Kazakhstani bank and managed to infect a bank Georgia.”

Rinse and repeat

The incident is far from a one-off. According to Group-IB, cybercriminals uses such cross-border domino effect cyberattacks as a tactic during attempts mainly geared towards looting funds from compromised financial institutions.

“Some of the groups sell access to the compromised bank to other hackers, once they successfully stole the funds,” Baulin said.

An analysis of responses to information security incidents carried out by the Group-IB incident response team last year found that 29% of banks were actively infected with malware. In the majority of cases (52%), traces of past attacks were detected on the infrastructure of financial institutions.

Banks were the targets of about 70% of hacker activity reported in incident response cases handled by Group-IB last year.

Attackers are still using tried and tested cashing-out schemes to siphon off money once they have successfully compromised a bank network. The stolen funds are withdrawn using payment cards pre-opened in a targeted bank, dummy law firm accounts, payment systems, and SIM cards.

The speed at which cash-out operations can be carried out in Russia has increased.

A cash out of $3 million took on average about 25-30 hours three years ago – in 2018 the same amount could be successfully cleared in less than 15 minutes at a time across different Russian cities, according to Group-IB.

More generally, at least 17% of companies (where incident response was carried out) have been targeted through unaddressed vulnerabilities within a year since the last infection, the security consultancy said.

The investigation shows that, like conventional burglars, cybercrooks often return to the scene of a successful cyber-heist for a “second helping” – a tactic that emphasizes the importance of promptly remediating security problems.

RELATED Russian-linked Silence hackers ‘are cybersecurity professionals’