The Cobalt hacking group specialized in breaching the networks financial institutions and banks is now using a new variant of the ThreadKit exploit builder kit for Microsoft Office documents.
Observed in a campaign on October 30, the new tactics show an evolution of the ThreadKit macro delivery tool. The final payload downloaded this way is the CobInt, a signature malware for the Cobalt group. The exploit building framework was first noticed in October 2017, although it had been used in campaigns as early as June that year leveraging CVE-2017-0199 that had exploit code publicly available.
Cyber-criminal gangs are believed to have stolen tens of millions of dollars from at least eight banks in Eastern Europe using tactics usually seen only in Hollywood movies. These “hacks” consisted of cyber-criminals entering bank offices to inspect and then leave malicious devices connected to the bank’s network.
Russian cyber-security firm Kaspersky Lab, which was called to investigate some of these mysterious cyber-heists, says it found three types of devices at offices at the eight banks it reviewed: cheap laptops, Raspberry Pi boards and malicious USB thumb drives known as Bash Bunnies.
Read more about the Hollywood-style hacks on European banks on ZDNet.
Banks in Russia today were the target of a massive phishing campaign that aimed to deliver a tool used by the Silence group of hackers. The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector.
The fraudulent emails purported to come from the Central Bank of Russia (CBR) and contained a malicious attachment. The message body lured the recipients to open the attachment in order to check the latest details on the “standardization of the format of CBR’s electronic communications.” International cybersecurity company Group-IB investigated the attack.
The Trickbot banking malware has added yet another tool to its arsenal, allowing crooks to steal passwords as well as steal browser data including web history and usernames.
The malware first appeared in 2016, initially focused on stealing banking credentials — but Trickbot is highly customisable and has undergone a series of updates since then. The latest trick — picked up by researchers at both Trend Micro and Fortinet — is the addition of a new module designed to steal passwords. This new Trickbot variant first emerged in October.
Read more about the latest version of the Trickbot malware on ZDNet.
Pakistan says the nation’s banks have not been hacked, but adds that they are taking defensive steps after nearly 20,000 payment card details appeared for sale online. The State Bank of Pakistan says banks are implementing restrictions on international transactions.
The State Bank of Pakistan did note that one bank was reportedly compromised on Oct. 27, but says that a data breach did not occur. It did not provide further details. Instead, card details may have been harvested from ATMs or merchant point-of-sale machines in skimming attacks.
International banking giant HSBC has reported that it was breached in October, as a result of a credential-stuffing attack.
In a notice [PDF] filed with the state of California, the bank said that it became aware of some online accounts being accessed by unauthorized users between October 4 and 14. The hack affected a segment of the bank’s U.S. customers — less than 1 percent of its U.S. client base, it told the BBC, though exact numbers have not been released.
The incident exposed names, addresses and dates of birth, along with banking-specific information like account numbers and balances, statement and transaction histories, and payee account numbers.
Read more about the HSBC data breach on Threatpost.
Researchers at FireEye have shared details about how a North Korean hacking team they have christened APT 38 has attempted to pilfer $1.1 billion from financial institutions worldwide. FireEye previously had attributed the game-changer cyberattacks on the SWIFT international interbank messaging system in various banks to a North Korean hacking group it calls TEMP.Hermit.
APT 38’s main objectives are financially motivated on behalf of the North Korean government: Since 2015, the hacking team has stolen hundreds of millions of dollars from at least five banks (including Bangladesh Bank and Banco de Chile) and has hacked into 16 organizations in 11 countries in Latin America and Europe, plus the US, for example, according to FireEye.
Read more about the findings of the FireEye research on DarkReading.
The inner workings of a cyber attack against Tesco Bank which saw £2.26m ($2.94m) stolen from 9,000 customers have been revealed. The UK Financial Conduct Authority (FCA) has hit the bank with a £16.4m fine (around $21.3m) and said Tesco Bank failed to “exercise due skill, care and diligence” in protecting current account holders against a cyber attack.
The most financially destructive cybercrime organization in the world continues to hammer away at financial institution targets: The Carbanak Group – aka Cobalt Group and FIN7 – most recently was spotted trying to break into Russian and Romanian banks with spear-phishing emails loaded with dual malicious links.
The twofer strategy of loading an email with both a Word document and a JPEG – both rigged with malware – appears to be an insurance policy of sorts that the victim will be tempted to click on at least one of the links that leads to the malicious files, according to Richard Hummel, threat research manager for Arbor ASERT, which analyzed the group’s latest attack campaign.
North Korean-linked Lazarus Group is believed responsible for stealing $13.5 million from India’s Cosmos Bank in a brazen attack that has exposed limitations in the measures banks use to defend against targeted cyber threats.
The theft occurred between August 10 and August 13, 2018, and was enabled via thousands of fraudulent ATM transactions across 28 countries and by at least three unauthorized money transfers using the bank’s access to the SWIFT international financial network. It is still unclear how the threat actors managed to initially infiltrate the bank’s network.
Read more about the attack in which Lazarus Group used highly sophisticated tactics to siphon money from India’s Cosmos Bank, on DarkReading.