Anatomy of an Attack: CARBANAK

Anatomy of an Attack: CARBANAK

RSA Incident Response and Discovery Practice (RSA IR) analysts spend a significant amount of time engaged in the research, hunting, and effective response of advanced and persistent actors.  A customer engagement early-to-mid-2017 is an excellent example of an unique case in which RSA IR successfully responded to an intrusion perpetrated by the threat actor group CARBANAK, also known as FIN7.  The CARBANAK actions illustrated in this post and associated paper were observed with other RSA clients as recently as November 2017, with the methods and intelligence supplied by these publications having been used successfully to detect and track attacker activities.

Several intrusions associated with the CARBANAK actors have been reported within the last year, describing compromises of organizations within banking, financial, hospitality, and restaurant verticals.  However, they all describe a relatively equivalent progression, with only slight deviation in specific attacker actions.  The intelligence surrounding recent CARBANAK incidents indicate that phishing attacks have been the group’s primary method of initial compromise.  After gaining access to a user system, the attackers move laterally throughout the environment, conduct internal reconnaissance, establish staging points and internal network paths, harvest credentials, and move towards their intended target. However, this intrusion began with a significantly higher level of privilege due to the exploitation of the Apache Struts vulnerability CVE-2017-5638 allowing the attackers to quickly gain administrative access within the client’s Linux environment.  This intrusion presented substantial challenges due to:

*** This is a Security Bloggers Network syndicated blog from RSA Blog authored by Jack Wesley Riley. Read the original post at: http://www.rsa.com/en-us/blog/2017-12/anatomy-of-an-attack-carbanak.html