Recent research from Kaspersky has revealed a massive criminal campaign that was able to infiltrate more than 100 different banks and steal upwards of $1 billion from the affected institutions. Kaspersky dubbed this operation the Carbanak APT due to a connection between the malware used in the attacks and the now infamous Carberp banking botnet. You may recall the headlines in 2013 that revealed the Carberp source code had been leaked into the wild, making it accessible to virtually any would-be criminal group that may want it. The accessibility of Carberp source code could easily have provided a starting point for the Carbanak as they built their malware.
However, while Carberp and Carbanak may share a common lineage and both targeted the banking sector, it is readily evident that these are very different animals. While Carberp was a banking botnet that stole money from banking customers using Man-in-the-Browser (MitB) techniques, Carbanak is a full-fledged APT campaign focused on infiltrating the banks themselves and stealing money directly from the bank, not its customers. The Carbanak attackers were both clever enough to remain hidden in the network and patient enough to learn precisely how to steal money based on the inner workings of the targeted bank.
Watch this video to learn more about how the Vectra Networks X-series platform can instantly detect targeted cyber attacks in progress to prevent or mitigate loss.
There are a variety of interesting lessons to be gleaned from this operation and I have written a short article in SecurityWeek on a few of them.. At the very least, this attack will provide a stark reminder of the importance of tracking any and all forms of remote access tunnels being used in the network, especially in relation to your most important assets. Stay tuned for more analysis on this attack from the team here at Vectra, and in the mean time check out the article on SecurityWeek.