In 2017 and 2018, Kaspersky Lab experts participated in the preparation of the immediate response to a series of cyber robberies that targeted financial organizations in Eastern Europe. The researchers found that, in each case, they had gone into the company's network through an unknown device, controlled by attackers, hidden in a company building and connected to the network. So far, at least eight of the region's banks have been attacked, with estimated losses being in the tens of millions of dollars.
The attackers used three types of devices: a laptop, a Raspberry PI (a miniature computer, the size of a credit card) or a Bash Bunny (a tool created especially for USB attacks) equipped with a GPRS modem, 3G - or LTE. This allowed the attackers to penetrate remotely from the network of the financial organization.
Once the connection was established, cybercriminals attempted to gain access to web servers to steal data they needed to run an RDP (remote access protocol) and then get money or data. This fileless attack method included the use of Impacket, winexesvc.exe, or psexec.exe for remote access. In the final stage, the attackers used the remote control software to maintain access to the infected computer.
Sergey Golovanov, security expert at Kaspersky Lab, said:
"Over the past year and a half, we have noticed a completely new type of attack on banks, very complex in terms of detection. The point of entry into the company's network has remained unknown for a long time since it could be located in any office in any region. These unknown hidden devices could not be found remotely. In addition, the attacker used legitimate tools, which complicated even more the response to the incident."
In order to protect ourselves against this unique method of digital robbery, we recommend financial institutions:
- Pay close attention to monitoring connected devices and accessing the organization's network - using a solution such as Kaspersky Endpoint Security for business.
- Eliminate security vulnerabilities, including those relating to network misconfiguration, a service like Kaspersky Penetration Testing Service , which including recommendations on how to solve the problems detected.
- Use a specialized solution against complex threats that can detect all kinds of suspected network abnormalities and activities, similar to Kaspersky Anti Targeted Attack.