The Anti-virus Times

Tuesday, January 17, 2017

Regular Anti-virus Times readers must have already noticed that most of our anti-malware security recommendations are quite simple:

• Keep your anti-virus up to date;
• Don't work under accounts with elevated privileges;
• Install security updates;
• Don’t mindlessly click on links;
• Back up important information.

There are no secrets here; our advice is obvious and logical. Why then is the media so full of news stories about hacker attacks and data leaks? It’s because either our recommendations are no good and hackers can easily circumvent them or they don’t provide a sufficient level of security; anyone who wants a high level of protection is going to have to pay more money.

Furthermore, attackers may get help from inside.

documents.exe! Who would be foolish enough to open a file like this?!

The anti-virus had the signature for this malware for quite a while, but it was disabled! On machines where it was up and running, there was no need to use behaviour analysis of any kind—the machines were never infected.

But that's not the end of it. There’s more.

The investigation showed that several employees had launched the files attached to the phishing emails at different times.

That is, no restrictions were in place that could have prevented users from launching or using certain programs.

To find and download various utilities (such as Mimikatz), criminals accessed legitimate sites, such as popular search engines, via the infected hosts.

Apart from the fact that employee machines weren't disconnected from the Internet, staff members also fell for a trick of the criminals who used the infected machines to find the software they needed to continue the attack. Devious hackers who use command prompt, without looking at the screen, and receive the machines' response exclusively by ear… Indeed, who can possibly stop them?

The ATMs weren't connected to a separate network and apparently were also accessible from the Internet, and security experts failed to notice that strangers were trying to break in.

By the way, if you're using Dr.Web and start RAdmin (or any other remote administration software), the anti-virus will warn you that a potentially dangerous program is being launched.

The outcome:

• The PCs of key employees and critical network infrastructure servers, including the terminal server and domain controller, were compromised. In addition, the criminals got hold of virtually all employee passwords, including administrator accounts, so they were able to navigate through the network freely.
• As a result, the equivalent of 36,742 USD was stolen from six ATMs over the course of one night.
• To get cash from the ATMs, they used drops (individuals who were hired for the operation). One of the drops, a Republic of Moldova national, was caught red-handed by law enforcement agencies while he was withdrawing the cash.