Banks Attacked through Malicious Hardware Connected to the Local Network

Kaspersky is reporting on a series of bank hacks—called DarkVishnya—perpetrated through malicious hardware being surreptitiously installed into the target network:

In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

Slashdot thread.

Tags: , , , , , ,

Posted on December 7, 2018 at 10:50 AM12 Comments

Comments

Clive Robinson December 7, 2018 11:15 AM

This is not the first bank attack using malicious devices on the network, connected and left by attackers.

A few years back a British Building Society got attacked through devices that had been installed on the neywork by service personnel.

echo December 7, 2018 11:20 AM

The other probelm not shouted about to cover up plod embarassment and reduce copycats is the infiltration of banks by criminals.

Phaete December 7, 2018 11:30 AM

This is an expected attack angle in a high risk/gain sector.
A competent ITSEC policy and implementation would have mitigated most of it.
It would not have been possible in most high sec networks i’ve been involved with.
USB storage should have been disabled everywhere, no unknown MAC network traffic, endpoint tracking, failed auth logging and alarms etc.

PeaceHead December 7, 2018 11:54 AM

A very poignant article, thanks.
I also suspect that such hardware techniques are extremely common in the wild.
I vaguely remember reading about some such technique happening over 10 years ago.
And of course, there are similarities to “fake ATM machine” types of techniques which go back even farther.

In my opinion, it’s not at all a financial market thing nor a bank thing. This vector is a logical culmination of the historical context of exploits.

In terms of what a person can imagine is happening “behind the scenes”, this fits right into place, no hollywood references required to fill in the gaps.

It also coincides with similar techniques used for non-malicious purposes.
I just wish I knew of more countermeasures besides a deeper descent into (re-)becoming a Luddite.

P.S.-I do NOT start my sentences with “If you could”… “You could”… is how it was supposed to read. Back off from editing my posts in transit (to the hacker lingering in the mix, freeloading off of our data). You know you benefit from my posts as much as everyone else; if you derail the syntax you derail the semantics and thus gain much less. I’m not an idiot. It used to be convenient to seem like one as camouflage. Shouldn’t you be using twitter or a chatroom or something like that?

Back on topic: These days it’s extremely difficult to know for sure what ANY hardware device is doing whatsoever. The bigger the tech gear is, the harder it is to know that it’s not harboring something insidiously harmful. For that reason, it’s a miracle that anything works! And similarly, it’s almost a miracle that every laptop computer isn’t a bomb in disguise!!!?

OUCH!

Clive Robinson December 7, 2018 4:13 PM

@ All,

The earlier attack I refered to above was against the UK’s Barkleys bank, back in 2013, and used a KVM switch to perform the attacks.

https://www.bbc.com/news/uk-england-24172305

@ All,

Irrespective of the specifics of devices you can now get the equivalent of a PC on a form factor a lot lot less than a Raspberry Pi, even smaller than a stick of chewing gum.

Whilst these devices are not “implanted” in other hardware they could easily be built into network socket face plates or spliced into a neywork cable in the floor or other plenum or crawl space.

Worse they could as with the KVM switch be put on the user side of a PC on the HCI where all security is open to what is the simplest of MITM attacks.

It takes no great brains to realise the best way to attack a system is as “the admin” Ed Snowden kind of made that obvious to the world. It’s why various people go after Admin Credentials where ever they can, because they might not be quite “the keys to the kingdom” but they do get close.

If you could get a 3g/4g mobile device connected to the Sys admins desktop via a KVM switch, you could achive a great deal without needing their credentials.

If you likewise built your own version of the “crotch shot heat destector” used to check employees are at their desks to put under the Sys Admins desk or a wireless CCTV camera in a clock / fire detector / light fitting you could get all the “habit” information to find the best times to take over an Admins PC for a few moments.

Such attacks are very stealthy in some respects[1] and difficult to find using “on the wire” instrumentation / enumeration and can require people to “walk the wire/line” examining each point in detail.

Because walking the wire/line is manpower intensive and very disruptive, it’s not done often or at all these days[2]. This gives an advantage to an attacker especially if they are “just another face” in the office and thus can spot signs of “stranger danger” of investigators and switch down to what is a highly covert “pass through” state.

Combating such types of what are “insider attacks” can be exyrodinarily difficult and as with older high security military systems, you need to have the ability to do such checks built in from “day zero” of the system[3], as bolting them on will almost certainly be prohibitively expensive, and have a high probability of being ineffective…

[1] They are also due to their use of RF also “very noisy” thus can be found with the likes of Software Defined Radios (SDR) which are quite small, light and above all highly flexable oh and can cost as little as $10.

[2] In the early “terminal” days of high security computing all the cables were carried in preasurised ducting, which had alarms that tripped on even small changes of pressure. Thus causing an “armed response” to an area, whilst acceptable in a high security military facility, assult weapons and office workers generally do not mix well.

[3] There are if you know the right people to talk to solutions for protecting cabling without having to resourt to pressure ducting[2]. In essence they use special armoured coaxial cables which are instrumented with Time Domain Refectomatary detectors, that check the cable hundreds if not thousands of times a second looking for electrical impedence changes that signify the cable is being attacked or even just touched and at what distence and direction from the detector, alowing very rapid response.

Bruce Schneier December 7, 2018 4:41 PM

@PeaceHead

“P.S.-I do NOT start my sentences with “If you could”… “You could”… is how it was supposed to read. Back off from editing my posts in transit (to the hacker lingering in the mix, freeloading off of our data). You know you benefit from my posts as much as everyone else; if you derail the syntax you derail the semantics and thus gain much less. I’m not an idiot. It used to be convenient to seem like one as camouflage. Shouldn’t you be using twitter or a chatroom or something like that?”

Who are you writing to? Is it someone in this blog, or someone else and it’s a mistake here?

Neither I nor the moderator edit blog comments, with the occasional exception of making a change that the poster points to in a subsequent comment. (And even then, we’re not consistent about it.) We delete comments, but we don’t edit them.

echo December 7, 2018 8:49 PM

@Clive

It takes no great brains to realise the best way to attack a system is as “the admin” Ed Snowden kind of made that obvious to the world. It’s why various people go after Admin Credentials where ever they can, because they might not be quite “the keys to the kingdom” but they do get close.

[…]

Because walking the wire/line is manpower intensive and very disruptive, it’s not done often or at all these days[2]. This gives an advantage to an attacker especially if they are “just another face” in the office and thus can spot signs of “stranger danger” of investigators and switch down to what is a highly covert “pass through” state.

Combating such types of what are “insider attacks” can be exyrodinarily difficult and as with older high security military systems, you need to have the ability to do such checks built in from “day zero” of the system[3], as bolting them on will almost certainly be prohibitively expensive, and have a high probability of being ineffective…

Unfortunately there are problems espeically within UK state sector where the right kind of qualification and procedure is a form of “security”. The asserive citizen (especially with whistleblower ramficatioins) is treated as a “hostile threat”. Both ahead of time notification of investigation and overt investigation give staff time to put on their best act until the searchlight has moved on. Checks and balances which include “red alert” policies of mandatory investigation are not followed or ignored.

This partially explains why the UK government kills more people each year than a small war over a single decade. I would hate to estimate the scale of malfeasance and defrauding citizens of their rights.

When people are incentivised especially by weak human resources departments and low accountability and a Jummy Savile scandal style omerta the biggest gangsters are unfortunately the most “trusted”.

“Threats and menaces” by establishment often ex-military staff and physical assualt and theft by staff in a “duty of care” environment doesn’t go down well either.

Then we have the Greek telephone engineer who was murdered…

AtAStore December 10, 2018 3:11 PM

Are there any ways, easy or not, for a “layman” using Kali or something to find attacks like these on their home wired or wifi network?

Jeff Root December 10, 2018 7:53 PM

I think they must have mis-identified the Hak5 tool in use. They state that the remote access was via cellular modem. The Bash Bunny has no way to do that. However, there’s a version of the LAN Turtle that includes a GSM modem.

And for this application, the LAN Turtle would be a better choice, since it looks like any other USB/Ethernet adapter.

anon December 17, 2018 5:27 PM

Access to wired Ethernet can be restricted with MACsec in conjunction with IEEE 802.1X. This could have prevented them from plugging a random device into the network. The trouble might be that not all devices that you want on the network support MACsec (some printers, etc), and it only works on a LAN, but it is probably something that a corporate or especially banking environment should be using. It’s not going to prevent someone from plugging a USB device into a legit box though.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.