A joint technical alert from the DHS, the FBI, and Treasury has been released by US-CERT warning about a new ATM scheme being used by the North Korean APT hacking group called the Hidden Cobra.
Hidden Cobra which is also known as Lazarus Group and Guardians of Peace, is believed to be supported by the North Korean government. They have earlier carried out various attacks against numerous media organizations, aerospace, financial and critical infrastructure sectors across the world.
The group had been associated with the WannaCry ransomware threat which resulted in the shutting down of hospitals and large businesses worldwide in 2017, the SWIFT Banking attack in 2016, and also the Sony Pictures hack in 2014.
The FBI, the Department of Homeland Security (DHS), and the Department of the Treasury have released details about a new cyber-attack which the Hidden Cobra has been using since at least 2016 to steal cash from ATMs by compromising the bank server. This attack has been dubbed as FASTCash.
FASTCash Hack Fools ATMs into Spitting Out Cash
The investigators examined 10 malware samples associated with FASTCash cyber-attacks and discovered that the hackers remotely hacked the payment “switch application servers” within the targeted banks to carry out fraudulent transactions.
Switch application server is an important part of ATMs and Point-of-Sale infrastructures that communicates with the core banking system to validate user’s bank account details for any transaction.
When a customer uses their credit/debit cards in an ATM or a PoS machine in a shop, the software asks the bank’s switch application server to validate the transaction. This in turn accept or decline the transaction depending upon the available amount in your bank account.
But the Hidden Cobra attackers managed to compromise the switch application servers at different banks, where they had accounts (and their payment cards) with minimal activity or zero balances.
After compromising the switch application servers, the malware interrupts the transaction request associated with the attackers’ payment cards and responds with fake but seems to look like a legal response. They do not actually validate their available balance with the core banking systems, ultimately tricking the ATMs to give out a huge amount of cash without even notifying the bank.
As per the report the HIDDEN COBRA hackers have stolen tens of millions of dollars already. The team is using the FASTCash scheme to target banks in Africa and Asia, though the U.S. authorities are still investigating the FASTCash incidents to confirm whether the attack targets banks in the United States.
How Attackers Compromised the Banks’ Switch Application Servers
Even though it is unclear what has been used initially to compromise Bank networks, the U.S. authorities believe that the hackers used spear-phishing emails, containing malicious Windows executable, against employees in different banks.
When these are opened the executable infect bank employees’ computers with Windows-based malware, permitting the hackers to move through a bank’s network using legitimate credentials and deploy malware onto the payment switch application server.
Most of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions, still the investigators were not able to find any evidence that the attackers exploited any vulnerability in AIX operating system.
US-CERT advises banks to make two-factor authentication mandatory before any user can access the switch application server, and use best practices to protect their networks.
They have also provided a downloadable copy of IOCs (indicators of compromise), to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the Hidden Cobra hacking group.
In May 2018, the US-CERT also published an advisory alerting the users about two different malwares lined to Hidden Cobra—Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul.