The Spanish National Police has arrested the suspected leader of a cybercriminal gang that stole more than €1 billion from financial institutions in more than 40 countries.
The gang has been operating since 2013 and has hit more than 100 financial institutions using several custom-made malware platforms known in the security industry as Anunak, Carbanak and Cobalt. The latter is based on Cobalt Strike, a legitimate penetration testing tool.
The criminals stole up to €10 million per heist by using a variety of techniques including instructing compromised ATMs to dispense cash at predetermined times, abusing the electronic payment networks to transfer money out of the financial organizations and modifying banks’ databases to inflate account balances.
All of this was possible because the gang’s modus operandi involved breaking into the private networks of the targeted institutions and gaining access to their internal systems and processes. The malware was typically distributed to bank employees via spear-phishing emails with malicious attachments and once it was installed on computers helped the attackers move laterally through the networks.
The gang’s suspected leader was arrested in Alicante, Spain, following an investigation conducted by the Spanish National Police with support from Europol; the FBI; the Romanian, Belarussian and Taiwanese authorities; and private cybersecurity companies. The European Banking Federation (EBF) also participated in the exchange of information.
“This global operation is a significant success for international police cooperation against a top-level cybercriminal organisation,” said Steven Wilson, the head of Europol’s European Cybercrime Centre (EC3). “The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top-level cybercriminality.”
It’s worth noting that Carbanak is not the only cybercriminal gang that’s focused on targeting financial institutions directly instead of going after their customers. This type of attacks has become increasingly common over the past few years and has even been adopted by state-sponsored actors, such as the Lazarus Group, which is believed to act on behalf of the North Korean government and has stolen money from central banks.
Drupal Users Should Prepare for Highly Critical Patch
Developers of the popular Drupal content management system are urging website administrators to be ready to deploy a patch for a highly critical vulnerability on Wednesday.
The patch will be released March 28 between 6 and 7:30 p.m. UTC and will be made available for Drupal 7.x, 8.3.x, 8.4.x and 8.5.x. The decision to release emergency updates for the 8.3.x and 8.4.x branches, which are no longer supported, is an indication of how severe the issue is.
“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” the Drupal team said in an announcement last week.
The administrators of websites running Drupal 8.3.x and 8.4.x should make plans to update them to the officially supported 8.5.x version as soon as possible. However, they should not delay deploying the backported patches for this particular vulnerability when they are made available these older versions on Wednesday.
None of the updates will require a database update, so there aren’t many reasons not to apply them as soon as possible. Drupal is an attractive target for hackers and is constantly targeted in attacks.
Drupal is the third most popular CMS after WordPress and Joomla in terms of market share and is used by many businesses, government agencies and universities. Some high-profile users include the U.S. Department of Energy, the French government, the Mayor of London and Oxford University.