Kaspersky Lab brought together company experts, journalists and business guests from the Middle East, Turkey and Africa for its annual Cyber Security Weekend that took place on April 26-29 in Vienna. The company’sexperts gave an overview of global and regional cyber threats and security trends, discussedthe main threat vectorsaffecting businesses in the region, particularlyorganizations from industrial and financial sectors. Special attention was paid to protection of connected devices used by individuals, businesses and governments as part of smart cities.
“In the first quarter of 2017 we saw threat actors turning their attention to wipers, as well as financial crime. Fileless malware has been used in attacks by both targeted threat actorsand cybercriminals in general – helping them to avoid detection and make forensic investigations harder. At the event we gave an example of the ‘invisible’ attacks used in the ATMitch campaign, which once again proves the importance of proper security solutions, security intelligence and carefully directed incident response,” said Ghareeb Saad, Senior Security Researcher, Global Research and Analysis Team, Kaspersky Lab.
At the event Kaspersky Lab also announced the renewed Kaspersky Anti Targeted Attack Platform, a solution to detect advanced threats and targeted attacks for enterprises. It blends advanced machine learning algorithms, actionable worldwide threat intelligence and adaptively to customer infrastructure, to help large businesses uncover the most sophisticated and damaging attacks at any stage of their development.
Kaspersky Security Network (KSN) statistics for the first quarter of 2017 were revealed at the conference showing that Algeria had the highest number of users (66.5 percent) affected by local threats (malware spread in local networks, by USBs, CDs, DVDs), followed by Morocco (59 percent), Tunisia (57.9 percent), and Egypt (52.8 percent). In the Middle East, users in Oman (54.6 percent) were the worst affected, followed by those in Saudi Arabia (53.1 percent) and Qatar (49.8 percent).
In January-March 2017, the highest numbers of web threat incidents were reported in the same countries in Africa – Algeria (38.1 percent of KSN users), Tunisia (32.4 percent) and Morocco (26.1 percent), followed by Egypt (23.5 percent). In the Middle East the countries experiencingmost threats were Qatar (29.7 percent), Saudi Arabia (24.2 percent), and the UAE (23.6 percent). South Africa had someof the lowest numbers of affected users in the META region (46.8 percent for local and 12.9 percent for web threats). In Turkey 18.8 percent of KSN users were affected by web threats and 47.1 percent by incidents related to local threats.
The number of ransomware notifications in the region increased 36percent compared to the first quarter of last year, and according to Kaspersky Lab experts will continue to grow due to the increased availability in the cybercriminal ecosystem of ransomware as a service. Kaspersky Security Network registered over two times more banking Trojans (121 percent increase) than it did in the same period of 2016, while the amount of mobile infection attempts stopped by Kaspersky Lab’s products increased 1.5 times.
ShehabNajjar, Head of Cyber Counter Terrorism Unit, CYBERPOL, who was a special guest at the event and gave a keynote presentation, commented: “Legislation on cybercrime is still being developed globally and in META. At the same time, with the advance of information technologies there appear more threat vectors both for home users and organizations. For that reason, raising cybersecurity awareness by giving overviews and advice, such as that given at Kaspersky Cyber Security Weekend, plays an important part in securing the Internet.”
Experts reconstruct ATMitch case
One day bank employees discovered an empty ATM: there was no money, no traces of physical interaction with the machine, and no malware. After Kaspersky Lab experts spent time unwinding this mysterious case, they were able to not only understand the cybercriminal tools used in the robbery, but also reproduce the attack themselves, discovering a security breach at the bank.
In February 2017 Kaspersky Lab published the investigation into mysterious fileless attacks against banks: criminals were using in-memory malware to infect banking networks. But why were they doing this? The ATMitch case has given us the whole picture.
“Kaspersky Lab has registered that attacks hit more than 140 enterprise networks in a range of business sectors. In total, infections have been registered in 40 countries, including in the META region: in Turkey, Saudi Arabia, Iran, Libya, Pakistan, Tunisia, Morocco, Egypt, Kenya, Uganda, Congo, Tanzania. ATMich cases were reported in just two countries up to now, but the attackers might still be active.
We advise organizations to check their systems, keeping in mind that detection of such an attack is possible only in RAM, the network and registry – and that, in such instances, the use of Yara rules based on a scan of malicious files are of no use. To prevent such attacks comprehensive security software is advised. Kaspersky Lab products successfully detect operations using tactics of this kind”, said Amin Hasbini, Senior Security Researcher at Kaspersky Lab.
The investigation started after the bank’s forensics specialists recovered and shared two files containing malware logs from the ATM’s hard drive (kl.txt and logfile.txt) with Kaspersky Lab. These were the only files left after the attack: it was not possible to recover the malicious executables because after the robbery cybercriminals had wiped the malware. But even this tiny amount of data can be enough for Kaspersky Lab to run a successful investigation.
Erase / rewind
Within the log files, Kaspersky Lab experts were able to identify pieces of information in plaintext that helped them to create a YARA rule for public malware repositories and to find a sample. YARA rules-basically search strings-help analysts to find, group, and categorize related malware samples and draw connections between them based on patterns of suspicious activity on systems or networks that share similarities.
After a day of waiting, experts found a wanted malware sample – “tv.dll”, or ‘ATMitch’ as it was later dubbed. It was spotted in the wild twice: once from Kazakhstan, and once from Russia.
This malware is remotely installed and executed on an ATM from within the target bank: through the remote administration of ATM machines. After it’s installed and connected to the ATM, the ATMitch malware communicates with the ATM as if it is legitimate software. It makes it possible for attackers to conduct a list of commands – such as collecting information about the number of banknotes in the ATM’s cassettes. What’s more; it provides criminals with the ability to dispense money at any time, at the touch of a button.
Usually criminals start by getting information on the amount of money a dispenser has. After that, a criminal can send a command to dispense any number of banknotes from any cassette. After withdrawing money in this curious way, criminals only need to grab the money and go. An ATM robbery like this takes just seconds! Once an ATM is robbed, the malware deletes its traces.
It is still not known who is behind the attacks. The use of open source exploit code, common Windows utilities and unknown domains during the first stage of the operation makes it almost impossible to determine the group responsible. However, “tv.dll”, used in the ATM stage of the attack contains a Russian language resource, and known groups that could fit into this profile are GCMAN and Carbanak.
“Combating these kinds of attacks requires a specific set of skills from the security specialist guarding the targeted organization.The successful breach and infiltration of data from a network can only be conducted with common and legitimate tools; after the attack, criminals may wipe all the data that could lead to their detection leaving no traces, nothing.
To address these issues, memory forensics is becoming critical to the analysis of malware and its functions.And as our case proves, a carefully directed incident response can help solve even the perfectly prepared cybercrime,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.
Kaspersky Lab products successfully detect operations using the above tactics, techniques and procedures. Further information on this story and Yara rules for forensic analysis of the fileless attacks can be found in the two blogs on Securelist.com: first and second. Technical details, including Indicators of Compromise were also provided to customers of Kaspersky Intelligence Services.