Researchers at FireEye have shared details about how a North Korean hacking team they have christened APT 38 has attempted to pilfer $1.1 billion from financial institutions worldwide. FireEye previously had attributed the game-changer cyberattacks on the SWIFT international interbank messaging system in various banks to a North Korean hacking group it calls TEMP.Hermit.
APT 38’s main objectives are financially motivated on behalf of the North Korean government: Since 2015, the hacking team has stolen hundreds of millions of dollars from at least five banks (including Bangladesh Bank and Banco de Chile) and has hacked into 16 organizations in 11 countries in Latin America and Europe, plus the US, for example, according to FireEye.
Read more about the findings of the FireEye research on DarkReading.
The inner workings of a cyber attack against Tesco Bank which saw £2.26m ($2.94m) stolen from 9,000 customers have been revealed. The UK Financial Conduct Authority (FCA) has hit the bank with a £16.4m fine (around $21.3m) and said Tesco Bank failed to “exercise due skill, care and diligence” in protecting current account holders against a cyber attack.
The most financially destructive cybercrime organization in the world continues to hammer away at financial institution targets: The Carbanak Group – aka Cobalt Group and FIN7 – most recently was spotted trying to break into Russian and Romanian banks with spear-phishing emails loaded with dual malicious links.
The twofer strategy of loading an email with both a Word document and a JPEG – both rigged with malware – appears to be an insurance policy of sorts that the victim will be tempted to click on at least one of the links that leads to the malicious files, according to Richard Hummel, threat research manager for Arbor ASERT, which analyzed the group’s latest attack campaign.
North Korean-linked Lazarus Group is believed responsible for stealing $13.5 million from India’s Cosmos Bank in a brazen attack that has exposed limitations in the measures banks use to defend against targeted cyber threats.
The theft occurred between August 10 and August 13, 2018, and was enabled via thousands of fraudulent ATM transactions across 28 countries and by at least three unauthorized money transfers using the bank’s access to the SWIFT international financial network. It is still unclear how the threat actors managed to initially infiltrate the bank’s network.
Read more about the attack in which Lazarus Group used highly sophisticated tactics to siphon money from India’s Cosmos Bank, on DarkReading.
An advanced form of banking malware has been targeting users in Latin America since at least 2013, Kaspersky Lab researchers report. Most victims are in, or connected to, Mexico.
The malware, dubbed “Dark Tequila,” carries a multistage payload and spreads to victims via spear-phishing emails and infected USB devices. Its primary focus is stealing financial information; however, once on a target machine, it lifts credentials to other popular websites, business and personal email addresses, domain registers, and file storage accounts.
Read more about the Dark Tequila banking malware on DarkReading.
Representatives of Cosmos Bank, India’s second-largest cooperative bank, revealed this week that hackers breached the bank’s servers over the weekend and stole over 940 million rupees ($13.5 million) across three days.
The incident is still under investigation, and the exact date of the intrusion is unknown, but the bank said that hackers stole money from its accounts in three waves, across three days. Cosmos Bank said no money was taken from customer accounts, and all losses will be supported by the bank, according to international banking standards.
Read more about how hackers managed to steal $13.5 million from Cosmos Bank through illicit ATM and wire transactions, on BleepingComputer.
Attackers are targeting DLink DSL modem routers in Brazil and exploiting them to change the DNS settings to a DNS server under the attacker’s control. This then allows them to redirect users attempting to connect to their online banks to fake banking websites that steal the user’s account information.
According to research by Radware, the exploit being used by the attackers allows them to perform remote unauthenticated changes to DNS settings on certain DLink DSL modems/routers. This allows them to easily scan for and script the changing of large amounts of vulnerable routers so that their DNS settings point to a DNS server under the attacker’s control.
Read about the new attack, which is quite dangerous as it involves no phishing emails and no changes on the user’s computer, on BleepingComputer.
A notorious hacker group known as MoneyTaker has stolen roughly $1 million from a Russian bank after breaching its network via an outdated router. The victim of the hack is PIR Bank, which lost at least $920,000 in money it had stored in a corresponding account at the Bank of Russia.
Group-IB, a Russian cyber-security firm that was called in to investigate the incident, says that after studying infected workstations and servers at PIR Bank, they collected “irrefutable digital evidence implicating MoneyTaker in the theft.”
Read more about the hack of a Russian bank in which roughly $1 million was stolen on BleepingComputer.
It’s no secret that financial services organizations are juicy targets for cybercrime, but new data shows how much more the bad guys are stealing from them: in the past year, there’s been a 135% jump in bank data for sale on the Dark Web.
A new report from IntSights Cyber Intelligence shows financial services is the number one most-attacked industry: from 2017 until the first half of 2018, the security firm found an average of 207 indictators of attacks – such as company IPs, domains, email, and data included in Dark Web chatter, malware, or target lists – on a US bank. In the first half of this year, that average hit 520.
Read more about the new study that examines how financial services information gets sold and shared in the Dark Web on DarkReading.
The 2018 Winter Olympics may have ended, but the group behind “Olympic Destroyer,” the attack known for targeting the Games, is still going strong. Kaspersky Lab researchers have spotted the threat actor(s) targeting organizations across Europe. Olympic Destroyer, a destructive network worm, appeared prior to the Opening Ceremonies when Olympics officials confirmed technical issues affecting systems.
Kaspersky Lab analysts have now determined the group behind Olympic Destroyer is responsible for a new wave of cyberattacks targeting financial and biochemical organizations throughout Europe, a conclusion based on malware sets, targeting, and identifying and testing macros in the code.
Read more about the attack group known for targeting the 2018 Winter Olympics that has resurfaced in campaigns against European financial and biochem companies on DarkReading.