A cybercriminal group known for targeting financial institutions has managed to steal almost $1 million from a large Russian bank after hacking into a router at one of its regional branches.
The group, known in the security industry as MoneyTaker, has been operating since at least 2016 and has targeted banks from the United States, U.K. and Russia. The group uses advanced techniques such as setting up new infrastructure for every attack, lurking inside networks for months before striking and using “fileless” malware techniques and tools such as Metasploit and the PowerShell Empire framework to remain undetected.
In the group’s latest attack, which was investigated by researchers from cybercrime intelligence firm Group-IB, the hackers compromised a router from a branch of Russian bank PIR Bank, then used the network tunnels configured in the device to access and move laterally through the bank’s main network.
This technique is characteristic of MoneyTaker and has been used in at least three attacks against banks with regional branch networks, Group-IB said in a report shared via email. While in the PIR Bank’s main network, the hackers managed to gain access to the Automated Work Station Client of the Russian Central Bank (AWS CBR) and initiated rogue payment orders.
The money was sent to accounts set up at 17 other banks and was immediately cashed out by money mules at ATMs. By the time PIR Banks’ employees discovered the rogue transfers and notified the Central Bank, it was already too late to reverse the transfers.
After executing the attack, the hackers deleted OS logs from workstations and servers to hinder forensic investigation but left behind some reverse shells so they could regain access to the network at a later time if needed.
“It is evident that MoneyTaker is one of the top threat to the banks all over the world,” Group-IB said. “Since the entry point in most successful attacks conducted by this group was routers, it is first necessary to check if you have the up-to-date firmware, test systems for brute-force vulnerabilities and detect changes in router configuration in a timely manner.”
Routers increasingly are targeted by hackers and, as shown by this incident, they can serve as launch pads for further attacks against local systems. Since routers don’t typically have security software running on them, discovering that they’ve been compromised can take a very long time, giving attackers a persistent foothold into local networks.
The sophisticated VPNFilter malware, which has infected more than 500,000 routers around the world and is believed to be the work of a Russian state-sponsored cyberespionage group, targets small-business router models from many manufacturers. The malware was recently used to launch an attack against a Chlorine plant in Ukraine.
Renewed Wave of Attacks Targets D-Link and Dasan Routers
A new wave of attacks has hit home and small business routers made by D-Link and Dasan, thanks to hackers’ increased routers in IoT botnets.
Cybersecurity firm eSentire observed exploit attempts against D-Link 2750B and Dasan GPON routers coming from more than 3,000 different source IP addresses July 19. The attackers used a Python script to exploit known command injection and remote code execution flaws in older D-Link 2750B firmware, and critical vulnerabilities in GPON routers made by Dasan Networks were disclosed publicly in May.
“A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” the eSentire researchers said in a blog post. “Botnets built using compromised routers may eventually be offered as a service to other threat actors, used for extorting DDoS victims among other uses.”
Also this week, a hacker managed to build a botnet of over 18,000 devices in a single day by exploiting a vulnerability in Huawei HG532 routers. The flaw, tracked as CVE-2017-17215, has been known and patched since 2017, but the fact that there are still so many vulnerable routers out there after all this time shows why IoT botnets are a growing threat.