Your browser is obsolete!

The page may not load correctly.

The price tag

Ценник

Other issues in this category (11)
  • add to favourites
    Add to Bookmarks

Anti-virus pro forma

Read: 1683 Comments: 16 Rating: 42

Regular Anti-virus Times readers must have already noticed that most of our anti-malware security recommendations are quite simple:

  • Keep your anti-virus up to date;
  • Don't work under accounts with elevated privileges;
  • Install security updates;
  • Don’t mindlessly click on links;
  • Back up important information.

There are no secrets here; our advice is obvious and logical. Why then is the media so full of news stories about hacker attacks and data leaks? It’s because either our recommendations are no good and hackers can easily circumvent them or they don’t provide a sufficient level of security; anyone who wants a high level of protection is going to have to pay more money.

Furthermore, attackers may get help from inside.

#drweb

#drweb

The initial infection occurred because the anti-virus on an employee's PC was either disabled or was using outdated virus definitions, allowing malware from a phishing email containing documents.exe to be launched.

Please note that the anti-virus software had detected the malicious attachments as well as the attackers' activities in the compromised systems—long before any money was stolen. Among all the other things detected was suspicious behaviour on the part of the legitimate program Ammyy Admin. In some cases infection was prevented by the anti-virus software.

https://www.ptsecurity.com/upload/ptru/analytics/Cobalt-Snatch-rus.pdf

documents.exe! Who would be foolish enough to open a file like this?!

The anti-virus had the signature for this malware for quite a while, but it was disabled! On machines where it was up and running, there was no need to use behaviour analysis of any kind—the machines were never infected.

But that's not the end of it. There’s more.

The investigation showed that several employees had launched the files attached to the phishing emails at different times.

That is, no restrictions were in place that could have prevented users from launching or using certain programs.

To find and download various utilities (such as Mimikatz), criminals accessed legitimate sites, such as popular search engines, via the infected hosts.

Apart from the fact that employee machines weren't disconnected from the Internet, staff members also fell for a trick of the criminals who used the infected machines to find the software they needed to continue the attack. Devious hackers who use command prompt, without looking at the screen, and receive the machines' response exclusively by ear… Indeed, who can possibly stop them?

The absence of network segmentation and excessive privileges for user accounts (the compromised user account was listed as a local administrator on all the machines in the network) were the key factors that contributed to the rapid development of the attack vector. The criminals were able to continue the attack easily because they didn't have to resort to additional exploits to elevate their privileges or look for ways to seize control.

They used sendspace.com to download additional files.

An analysis of the software’s security logs confirmed that the compromised computers were engaged in network activities, including connecting to ATMs with RAdmin. The administrators of the attacked bank’s network routinely use this software to remotely control network nodes including the bank’s ATMs.

The ATMs weren't connected to a separate network and apparently were also accessible from the Internet, and security experts failed to notice that strangers were trying to break in.

By the way, if you're using Dr.Web and start RAdmin (or any other remote administration software), the anti-virus will warn you that a potentially dangerous program is being launched.

The outcome:

  • The PCs of key employees and critical network infrastructure servers, including the terminal server and domain controller, were compromised. In addition, the criminals got hold of virtually all employee passwords, including administrator accounts, so they were able to navigate through the network freely.
  • As a result, the equivalent of 36,742 USD was stolen from six ATMs over the course of one night.
  • To get cash from the ATMs, they used drops (individuals who were hired for the operation). One of the drops, a Republic of Moldova national, was caught red-handed by law enforcement agencies while he was withdrawing the cash.
#anti_virus #security #hacking #cyber_crime

Dr.Web recommends

Many people are so confident in their abilities that they see no reason to use anti-virus software or they disable it regularly because it seemingly affects system performance; and, at the same time, they continue to use an account with administrative privileges. Sooner or later a day of reckoning comes.

And it’s not the recommendations that cause problems, but people who believe that using an anti-virus is a mere formality.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments