U.S. Links North Korean Government to ATM Hacks
4.10.2018 securityweek
BigBrothers

U.S. Shares Details on North Korea’s ATM Cash-out Scheme

The United States Department of Homeland Security (DHS), Department of the Treasury (Treasury), and Federal Bureau of Investigation (FBI) this week released a joint technical alert to share information on an Automated Teller Machine (ATM) cash-out scheme attributed to the North Korean government.

The financially-motivated malicious campaign was attributed to the North Korea-linked threat actor the U.S. government refers to as Hidden Cobra, but which is better known in the infosec community as the Lazarus Group.

Considered the most serious threat to banks, the actor is believed to have orchestrated the $81 million heist from the Bangladesh bank. This year, the group was said to have been involved in numerous attacks against financial institutions and banks and to have also shown interest in crypto-currencies.

Last year, the U.S. started sharing details on the activity associated with Hidden Cobra, including information on the tools the actor employs in attacks, including malware such as Typeframe, Joanap and Brambul, Fallchil, and others. In September, U.S. authorities charged a North Korean national over his alleged involvement with Lazarus.

The most recent alert issued by the U.S. government on Hidden Cobra details FASTCash, a set of tactics the group has been using since at least 2016 to target banks in Africa and Asia and maintain presence on the victims’ networks for further exploitation.

As part of the FASTCash schemes, hackers remotely compromise payment switch application servers within banks to perform fraudulent transactions. The use of these tactics was highly successful and the group is expected to continue using them to target retail payment systems vulnerable to remote exploitation.

“According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries,” the joint alert reads.

The actor allegedly configured and deployed legitimate scripts on compromised servers to intercept legitimate financial requests and reply to them with fraudulent responses. The group leveraged knowledge of the standard for financial transaction messaging and other tactics to exploit the targeted systems.

The deployed scripts apparently inspected inbound financial request messages for specific primary account numbers (PANs) and could generate fraudulent responses only for the requests that matched the expected PANs.

While the initial infection vector hasn’t been identified, Lazarus is known for the use of spear-phishing emails in targeted attacks against bank employees and might have employed Windows-based malware “to explore a bank’s network to identify the payment switch application server.” Lateral movement was likely performed leveraging legitimate credentials.

Alongside the joint alert, the DHS also published a malware analysis report (MAR-10201537) to provide details on the malware Hidden Cobra used as part of the FASTCash attacks. Of a total of 10 files submitted for analysis, four were found to be malicious, 2 were command-line utility applications, 3 were apps offering export functions and methods to interact with financial systems, and 1 was a log file.

The identified malicious programs include Trojans and various backdoors that could retrieve system information, find and manipulate files, execute and terminate processes, download and upload files, and execute commands. In addition to Windows, the Trojans targeted IBM’s Advanced Interactive Executive (AIX) platform, which was running on the compromised payment switch application servers.

The FASTCash scheme only appears to have targeted banks in Africa and Asia, with no incidents observed in the U.S.