Skip to main content

BANK SERVERS HACKED TO TRICK ATMs INTO SPITTING OUT MILLIONS IN CASH. Automated Publishing Via Osuta Yusuf Robot Trigger. The US-CERT has released a joint technical alert from the DHS, the FBI, and Treasury warning about a new ATM scheme being used by the prolific North Korean APT hacking group known as Hidden Cobra. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and has previously launched attacks against a number of media organizations, aerospace, financial and critical infrastructure sectors across the world. The group had also reportedly been associated with the WannaCry ransomware menace that last year shutdown hospitals and big businesses worldwide, the SWIFT Banking attack in 2016, as well as the Sony Pictures hack in 2014. Now, the FBI, the Department of Homeland Security (DHS), and the Department of the Treasury have released details about a new cyber attack, dubbed "FASTCash," that Hidden Cobra has been using since at least 2016 to cash out ATMs by compromising the bank server. FASTCash Hack Fools ATMs into Spitting Out Cash The investigators analyzed 10 malware samples associated with FASTCash cyber attacks and found that attackers remotely compromise payment "switch application servers" within the targeted banks to facilitate fraudulent transactions. Switch application server is an essential component of ATMs and Point-of-Sale infrastructures that communicates with the core banking system to validate user's bank account details for a requested transaction. Whenever you use your payment card in an ATM or a PoS machine in a retailer shop, the software asks (in ISO 8583 messages formats) the bank's switch application server to validate the transaction—accept or decline, depending upon the available amount in your bank account. However, Hidden Cobra attackers managed to compromise the switch application servers at different banks, where they had accounts (and their payment cards) with minimal activity or zero balances. The malware installed on the compromised switch application servers then intercepts transaction request associated with the attackers’ payment cards and responds with fake but legitimate-looking affirmative response without actually validating their available balance with the core banking systems, eventually fooling ATMs to spit out a large number of cash without even notifying the bank. "According to a trusted partner's estimation, HIDDEN COBRA actors have stolen tens of millions of dollars," the reports says. "In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries." Hidden Cobra threat actors are using the FASTCash scheme to target banks in Africa and Asia, though the U.S. authorities are still investigating the FASTCash incidents to confirm whether the attack targets banks in the United States. How Attackers Managed to Compromise Banks’ Switch Application Servers Though the initial infection vector used to compromise Bank networks is unknown, the U.S. authorities believe that the APT threat actors used spear-phishing emails, containing malicious Windows executable, against employees in different banks. Once opened, the executable infected bank employees' computers with Windows-based malware, allowing hackers to move laterally through a bank’s network using legitimate credentials and deploy malware onto the payment switch application server. Though most compromised switch application servers were found running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions, investigators found no evidence that attackers exploited any vulnerability in AIX operating system. US-CERT recommended banks to make two-factor authentication mandatory before any user can access the switch application server, and use best practices to protect their networks. US-CERT has also provided a downloadable copy of IOCs (indicators of compromise), to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the Hidden Cobra hacking group. In May 2018, the US-CERT also published an advisory alerting users of two different malware —Remote Access Trojan (RAT) known as Joanapand Server Message Block (SMB) worm called Brambul—linked to Hidden Cobra. Last year, the DHS and the FBI also issued an alert describing Hidden Cobra malware Delta Charlie —a DDoS tool that they believed North Korea uses to launch distributed denial-of-service attacks against its targets. Other malware linked to Hidden Cobra in the past includes Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.

Automated Publishing Via Osuta Yusuf Robot Trigger.

The US-CERT has released a joint technical alert from the DHS, the FBI, and Treasury warning about a new ATM scheme being used by the prolific North Korean APT hacking group known as Hidden Cobra.

Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and has previously launched attacks against a number of media organizations, aerospace, financial and critical infrastructure sectors across the world.

The group had also reportedly been associated with the WannaCry ransomware menace that last year shutdown hospitals and big businesses worldwide, the SWIFT Banking attack in 2016, as well as the Sony Pictures hack in 2014.

Now, the FBI, the Department of Homeland Security (DHS), and the Department of the Treasury have released details about a new cyber attack, dubbed "FASTCash," that Hidden Cobra has been using since at least 2016 to cash out ATMs by compromising the bank server.

FASTCash Hack Fools ATMs into Spitting Out Cash

The investigators analyzed 10 malware samples associated with FASTCash cyber attacks and found that attackers remotely compromise payment "switch application servers" within the targeted banks to facilitate fraudulent transactions.

Switch application server is an essential component of ATMs and Point-of-Sale infrastructures that communicates with the core banking system to validate user's bank account details for a requested transaction.

Whenever you use your payment card in an ATM or a PoS machine in a retailer shop, the software asks (in ISO 8583 messages formats) the bank's switch application server to validate the transaction—accept or decline, depending upon the available amount in your bank account.

However, Hidden Cobra attackers managed to compromise the switch application servers at different banks, where they had accounts (and their payment cards) with minimal activity or zero balances.

The malware installed on the compromised switch application servers then intercepts transaction request associated with the attackers’ payment cards and responds with fake but legitimate-looking affirmative response without actually validating their available balance with the core banking systems, eventually fooling ATMs to spit out a large number of cash without even notifying the bank.

"According to a trusted partner's estimation, HIDDEN COBRA actors have stolen tens of millions of dollars," the reports says.

"In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries."

Hidden Cobra threat actors are using the FASTCash scheme to target banks in Africa and Asia, though the U.S. authorities are still investigating the FASTCash incidents to confirm whether the attack targets banks in the United States.

How Attackers Managed to Compromise Banks’ Switch Application Servers

Though the initial infection vector used to compromise Bank networks is unknown, the U.S. authorities believe that the APT threat actors used spear-phishing emails, containing malicious Windows executable, against employees in different banks.

Once opened, the executable infected bank employees' computers with Windows-based malware, allowing hackers to move laterally through a bank’s network using legitimate credentials and deploy malware onto the payment switch application server.

Though most compromised switch application servers were found running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions, investigators found no evidence that attackers exploited any vulnerability in AIX operating system.

US-CERT recommended banks to make two-factor authentication mandatory before any user can access the switch application server, and use best practices to protect their networks.

US-CERT has also provided a downloadable copy of IOCs (indicators of compromise), to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the Hidden Cobra hacking group.

In May 2018, the US-CERT also published an advisory alerting users of two different malware —Remote Access Trojan (RAT) known as Joanapand Server Message Block (SMB) worm called Brambul—linked to Hidden Cobra.

Last year, the DHS and the FBI also issued an alert describing Hidden Cobra malware Delta Charlie —a DDoS tool that they believed North Korea uses to launch distributed denial-of-service attacks against its targets.

Other malware linked to Hidden Cobra in the past includes Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.