Archive for category Articles

Expected cyber-crime techniques for 2019

Sophos Lab has released a threat report covering expected modes of cyber-attacks in 2019.



Release Date: 26th November 2018



Cyber attackers are successfully evading detection on Windows computers by abusing legitimate admin tools commonly found on the operating system.


This is a pivotal finding of the SophosLabs 2019 Threat Report, which traces how the technique has risen from the fringes of the cybercriminal playbook to become a common feature in a growing number of cyber-attacks for the upcoming year.


Known in security parlance as ‘living off the Land’ or ‘LoL’ because it avoids the need to download dedicated tools, this technique of cyber-attack seems to be interested in targeting PowerShell, a powerful command line shell that ships by default on all recent Windows computers even though few users have heard of it.


Alternatives include Windows Scripting Host (WScript.exe), the Windows Management Instrumentation Command line (WMIC), as well as popular external tools such as PsExec and WinSCP.


It’s a simple strategy that makes detection a puzzle. Removing the tools is an option but comes with disadvantages few admins would be happy with, notes the report:


PowerShell is also an integral component of tools that help administrators manage networks

 of almost any size, and as a result, must be present and must be enabled in order for those

admins to be able to do things like, for example, push group policy changes”.


Attackers, of course, know this and often feel brazen enough to chain together a sequence of scripting and command interfaces, each running in a different Windows process.






According to SophosLabs, attacks might start with a malicious JavaScript attachment, in turn invoking wscript.exe, before finally downloading a custom PowerShell script. Defenders face a challenge:


“With a wide range of file types that include several “plain text” scripts, chained in no particular order and without any predictability, the challenge becomes how to separate the normal operations of a computer from the anomalous behavior of a machine in the throes of a malware infection”.





Macro attacks 2.0



Meanwhile, attackers show no signs of giving up on new variations on Microsoft Office macro attacks, another route to launch exploits without the need for conventional executable.


In recent years, protections such as disabling macros inside documents or using preview mode have blunted this technique.


Unfortunately, attackers have developed techniques to persuade people to disable these using macro builder tools that package Office, Flash, and other exploits within a document that throws up sophisticated social engineering prompts.


Compounding this, cybercriminals have refreshed their older stock of software flaws in favor of more dangerous and recent equivalents – SophosLabs’ analysis of malicious documents found that only 3% of exploits inside builders date from years earlier than 2017.


With well-used filetypes now blocked or monitored by endpoint security, the trend is to use more exotic filetypes to launch attacks, especially apparently innocuous ones that can be called from a Windows shell such as .cmd (Command File) .cpl (Control Panel), .HTA (Windows Script Host), .LNK (Windows Shortcut), and .PIF (Program Information File).



Lateral Movement of Malware



The EternalBlue exploit (CVE2017-0144) has surprisingly become a popular staple for malware writers, despite Microsoft issuing a patch in advance of its first use by WannaCry in May 2017.


Cryptominers have been enthusiastic users of EternalBlue, using it to move laterally through networks to infect as many machines as possible.


Attackers combining these innovations – Windows LoL tools, macro attacks, novel exploits and crypto-mining – represents a challenge because they often confound the assumptions of defenders.


Their uptake of these more complex and esoteric approaches has been driven, ironically, by the success of the cybersecurity industry at curbing traditional malware.


Concludes Sophos CTO, Joe Levy:

“We expect we’ll eventually be left with fewer, but smarter and stronger, adversaries”.






Cybercriminal techniques – SophosLabs 2019 Threat Report


A new Trojan has been discovered in the on-going FASTCash cyber espionage campaign funded by North Korean government.



Release Date: November 20th, 2018






The Lazarus hacker group funded by the North Korean government is a predator for the financial sector, targeting major banks in Africa and Asia. It first breaches the target bank’s network and compromises the switch application server handling the ATM transactions. Also known as the Hidden Cobra, the Lazarus group is associated with the on-going FASTCash campaign stealing tens of millions of dollars in multiple ATM attacks across the continents.



In 2017 alone, Lazarus targeted ATMs in more than 30 countries, whereas in 2018 it compromised banks of 23 countries, simultaneously. Recently, a new Trojan has been found that’s being used in the FASTCash campaigns.






The initial attack vector used by Lazarus isn’t confirmed. However, traces have been retrieved of the usage of a malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”.



It seems that the Hidden Cobra attackers initially used a Windows-based malware to explore a bank’s network to identify the payment switch application server. Researchers have found that all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates. Therefore, AIX could be the possible exploit, however, no evidence has been found that proves exploitation of the AIX operating system in these attacks.



Although each known incident has a different malware associated with it, a detailed analysis of malware samples gathered through these attacks suggests similarities between malware features and capabilities.






Analysts predict that the attacks were initiated with spear-phishing emails against bank employees, which led to compromise of the bank’s network.



There are multiple versions of the Fastcash Trojan, each of which appears to have been customized for different transaction processing networks. The samples are associated with legitimate primary account numbers, or PANs – the 14 or 16-digit numerical strings found on bank and credit cards that identify a card issuer and account number.






The malicious code inserted by Lazarus attackers searched for references tied to attacker-controlled accounts, then returned fraudulent information about those accounts in response to balance inquiries made by the Switch application server.



In simpler words, the validation requests prior to cash withdrawal did not reach the bank for authentication and verification of bank balance. Instead, the communication was spoofed by the attackers and fake responses were generated that made ATMs spit out cash even from the accounts having zero balance.





Analysts believe that HIDDEN COBRA (Lazarus) actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics. HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. These libraries can be exploited by malicious threat actors to help interpret financial request messages and properly construct fraudulent financial response messages.



Analysts believe HIDDEN COBRA actors blocked transaction messages in order to stop denial/decline messages from leaving the switch and used a GenerateResponse* function to approve the transactions.



“In order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious [AIX] executable into a running, legitimate process on the switch application server of a financial transaction network, in this case; a network that handles ATM transactions,” analysts say.



The malicious executable contains logic to construct fraudulent ISO 8583 messages, which is the international standard for financial transaction messaging. The IBM AIX executable files were designed to conduct code injection and inject a library into a currently running process.



It is believed that the North Korean government funds these attacks to combat international sanctions imposed over its weapons’ development and testing programs. Apart from Lazarus, another major wave of attacks was launched by the APT38 which is also said to be associated with the North Korean government.



Here’s a detailed coverage of APT38 cyber espionage.






Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Continuous monitoring of all the activity on the network is essential to pinpoint any cyber espionage targeting an organization.





Lazarus has previously earned an International reputation as one of the largest groups of cybercriminals targeting the financial sector.

The Sony Pictures Entertainment hack in 2014; the breach of central bank of Bangladesh’s New York Federal Reserve account leading to $81 million being stolen; the WannaCry ransomware outbreak in May 2017, as well as other crypto-mining incidents are also associated with this hacker group.


The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.


BankIslami hit by Cyber Attack, $6 Million Stolen

Editor’s Note: This post was originally published on 28th October 2018 and is being continuously updated with latest information.


Hackers have waged a sophisticated cyber-attack against BankIslami, an Islamic bank in Pakistan, resulting in the theft of around $6 million via fraudulent payments through ATM and POS from different countries. Reports claim that 5000 accounts have been compromised in this attack and that it might be the biggest cyber-attack in the history of Pakistan.


The alleged security breach first came to light on October 27, when certain abnormal transactions were detected by the bank on one of its international payment card scheme. Also, customers of the bank received automated messages about their payment cards being used in different countries. The bank tried to hide the breach until the hackers possibly used dark web to publish information of payment cards and PINs for sale for about $75. The bank has temporarily shutdown all transactions routing through international payment scheme.


State Bank of Pakistan (SBP) Directives


“As a result of security breach of payment cards of one of the banks in Pakistan yesterday and their unauthorized use on different delivery channels i.e. at ATMs and POS in different countries, the bank has temporarily restricted usage of its cards for overseas transactions,” State Bank said in a statement yesterday.


SBP instructed the affected bank to take all necessary measures to trace the vulnerability and fix it immediately.


The affected bank has also been directed to issue advisory on precautionary measures that should be taken by customers.


  • To make sure that resources are deployed to ensure the 24/7 real-time monitoring of card operations related systems and transactions. Additionally, coordinate immediately with all the payment schemes, switch operators and media service providers integrated with the banks, to identify any malicious activity of suspicious transactions.


  • To foster arrangements to ensure security of all payments cards in the country and monitor on real-time basis the usage activity for their cards, especially for overseas transactions.


SBP said that it would continue to assess these developments in coordination with banks and take further measures, if required. The banks across Pakistan are directed to ensure that security measures on all IT systems including those related to card operations are continuously updated to meet any challenges in future.


Attack Vector


Apparently, FASTCash schemes can possibly be an attack vector for this hack, which remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.


When a payment card is used in an ATM or PoS machine, the machine communicates with the bank’s switch application server to validate the transaction, and then accepts or declines based on bank balance. The malware installed on the compromised switch application servers fraudulently intercepts transaction request associated with the attackers’ payment card. It then responds with fake but legitimate-looking affirmative response without checking their available balance with the core banking systems. Eventually, machine is fooled into processing or spitting out large amounts of cash without sending a notification to the bank.


Rewterz had published important advisories on similar attacks earlier this month, Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash and North Korean State-Funded APT38 Launches Financially Motivated Attacks Worldwide that include mitigation recommendations for institutions that have payment processing systems.


“Since at least 2014, hacker group involved in FASTCash campaign has conducted operations in more than 16 organizations in at least 11 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources,” FireEye researchers said in a blog post.


Based on known attacks, an APT attacker spends an average of 155 days camped out in an attacked organization’s networks, whereas, in one case they had two years of access to a victim’s network, FireEye says.


“APT attacker executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom-developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards,” FireEye says.


“The group is careful, calculated and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions and system technologies to achieve its goals.”


The U.S. Computer Emergency Readiness Team issued an alert about “malicious cyber activity by the North Korean government” – which it refers to as Hidden Cobra – perpetrating an ATM cash-out scheme, which the U.S. government refers to as “FASTCash.”


US-CERT’s “Hidden Cobra – FASTCash Campaign” alert says that the attack campaign has been operating since 2016 and so far targeted institutions in Asia and Africa with malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”


“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise Hidden Cobra actors used spear-phishing emails in targeted attacks against bank employees,” US-CERT says, “Hidden Cobra actors likely used Windows-based malware to explore a bank’s network to identify the payment switch application server.”


Attackers will likely move beyond targeting banks, US-CERT warns. “The U.S. government assesses that Hidden Cobra actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation,” it says.


Pakistani Banks Card Data on Dark Web


As you are probably aware that some of the analysis are connecting this attack with Pakistani banks’ cards data being up for sale on dark web. According to various sources, a report is being circulated regarding the sale of Pakistani banks’ card data that shows that more than 8000 cards of different banks are available for sale on the dark web and carding websites.


Rewterz Threat Intelligence Team has carried out an in-depth analysis and appears to assume that this report has been created based on a 3rd category Dark Web Card Shop. Mostly, 3rd category shops are easily accessible and doesn’t ensure reliable data. The cards dump was posted on a shop yesterday, however, it was taken down by the seller on the same day. Based on further analysis, the dump consisted of old skimmed cards data of different banks, so probably 99.9% of the data is either bogus or blocked cards. Research shows that reliable and authentic data is available on 1st category card shops which have verified cards available and they are on sale with refund offer if it doesn’t work.  Our threat intelligence team is further investigating and endeavouring to acquire all the data available for cards so that further analysis can be carried out.


Therefore, it can be assumed that in order to create a chaos and further exploit the mayhem in Pakistan, the seller consolidated all the skimmed cards data available from past and posted together.


According to our intelligence, the hackers have done a targeted and sophisticated attack on local bank, similar to what we have seen in FashCASH. Skimmed cards don’t have capacity of launching an attack on this scale.




  • Implement chip and Personal Identification Number (PIN) requirements for debit cards.
  • Validate card-generated authorization request cryptograms.
  • Use issuer-generated authorization response cryptograms for response messages.
  • Require card-generated authorization response cryptogram validation to verify legitimate response messages.
  • Require two-factor authentication before any user can access the switch application server.
  • Verify that perimeter security controls prevent internet hosts from accessing the private network infrastructure servicing your payment switch application server.
  • Verify that perimeter security controls prevent all hosts outside of authorized endpoints from accessing your system.
  • Configure the switch application server to log transactions. Routinely audit transactions and system logs.
  • Develop a baseline of expected software, users, and logons. Monitor switch application servers for unusual software installations, updates, account changes, or other activity outside of expected behavior.
  • Develop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.


Rewterz’s SOC team has released specific recommendations for the internal security monitoring and incident response teams, to help them detect such advanced APT attacks.


Integration for Cyber Security Monitoring Visibility


Following should be enabled and integrated to detect such advance APT attacks on your centralized security monitoring platform, such as SIEM or Log Management:


  • Network flows for visibility of inbound/outbound traffic and network insight.
  • Detailed system and application auditing besides standard logs.
  • Process tracking and network share object auditing.
  • Command line parameter should be enabled once the process tracking is enabled, this will help analysts to understand the parameters passed in the process by the attacker.
  • Authentication events.
  • Database events.
  • Advance malware events.


Use Cases for Cyber Security Monitoring of Switch Application Servers (SWIFT, IRIS, Nimbus, etc.)


  • Outbound connections towards external and local networks from switch application servers.
  • Inbound connections from external and local networks towards servers.
  • Excessive internal and external connections.
  • Excessive connections made by any process in application servers.
  • Application servers’ traffic on unknown and high ports.
  • Traffic deviations.
  • IoCs’ hits on servers from advance malware.
  • Administrators’ traffic who manage switch application servers.
  • Any activity being performed on servers by administrators.
  • All the authentication performed by processes and services on switch application servers.
  • All authentication attempts on servers.
  • Monitor applications and services that are talking to other systems.
  • Monitor all the extensions and processes of these systems with their path of execution, specifically for bin, js, ps1, exe, vbs, png, rtf, docm, xlsm, xltm, bat, jar, msi, scr, hta, cmd, vbe, txt, jse, lnk, and inf.
  • All privileged user activities who have logged in switch application servers.
  • File share activities of privileged users.

The Worst Data Breaches of 2018

In 2017, the world witnessed more data breaches than any year prior. There were total of 1,293 data breaches, compromising more than 174 million records. As we end the near of October, this disturbing trend has nothing but continued this year as well.


As employees and business consumers, we shall be concerned about these threats and our most precious assets. Protecting user data has become increasingly important amid stricter regulation implementation.


Companies are no longer just required to announce that their systems have been breached but also pay fines that can reach up to 4 percent of their annual turnover. The increasing sophistication of cyber-attacks coupled with the overall lack of cybersecurity has led to the greatest data breaches and the loss of data records on a global scale.



This year, big names such as Google, Facebook, Nadra, Uber, Careem, and British Airways have joined the ever-growing list of breach victims. Data breaches can result in loss of millions, even billions, of private records and sensitive data, affecting not just the breached organization but also the concerned victims whose critical assets may have been stolen.



As we end the near of 2018, it’s time to tally up this year’s breaches. Below we offer what we believe are the most significant data breaches to hit the globe, not in all cases because they were particularly large but because of the type of attack or vulnerability involved or the sensitivity of the data compromised. This list is not in order of rank.






Earlier this year Google discovered a vulnerability in an API for the company’s social networking effort Google+, which made it possible for third-party app developers to access data from the friends of the app users.





According to the Wall Street Journal, more than 500,000 Google Plus users had their data exposed this past spring through a third-party application. Google not only exposed this data but then it chose not to disclose it, fearing reputational damage.


Exposed data included names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.
In response, parent company Alphabet decided to shut down Google+ completely and for good.






Facebook security breach which was discovered in September 2018, was the largest in the company’s 14-year history. The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them, exposing accounts of nearly 50 million users.




The vulnerability was introduced on the site in July 2017, but Facebook didn’t know about it until September 16, 2018, when it spotted an unusual activity. This could potentially mean the hackers could have had access to user data for a long time, as Facebook is not sure right now when the attack began.


Zuckerberg said that the attackers were using Facebook developer APIs to obtain some information, like “name, gender, and hometowns” that’s linked to a user’s profile page.






Earlier this year, we witnessed the biggest data breach in the history of Pakistan as reports claimed that Punjab Information Technology Board (PITB) is responsible for creating vulnerable mobile applications directly connected with the API of NADRA, which can request details of any Pakistani citizen using different means.




According to WikiLeaks and Julian Assange, American and British intelligence agencies acquired access to NADRA’s database and got hold of the identification records of Pakistanis.

According to an Information Security expert Faiz Ahmed Shuja, the CEO of Rewterz, the data was leaked due to unregulated e-governance apps, such as those that sold online tickets of cricket matches in Pakistan.


NADRA provides access to different government organizations, for example, when you go to buy a mobile phone SIM, you provide your fingerprints, that are used to match with your NADRA data to verify your identity.


He further said:

NADRA had given this kind of access to different government departments as well as the Punjab Information Technology Board (PITB) who launched an application to sell cricket match tickets. People would give their ID credentials and get their tickets; these applications have been misused. The authority should provide only what is required to government apps instead of giving them complete access to all its data.”





In September 2018, reports confirmed that ride-hailing firm Uber will pay £133m to settle all legal action over the cyber-attack that exposed data from 57 million customers and drivers in 2016.
Hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States.



After numerous reports of the firm following this incident, Uber only revealed some information about the data breach in November 2017. It has now been confirmed that the company paid the hackers $100,000 (£761,71) to hide the data breach.



British Airways



British Airways revealed on 6 September that the passengers who made a booking or updated the booking from or the BA app became victim of a data breach affecting 380,000 transactions, involving stolen personal and financial information, but not passport or flight details.



The data was compromised over a two-week period between 21 August and 5 September, during which a ‘sophisticated’ attack was carried out on both the company’s website and app.


We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over and app,” Alex Cruz, CEO of BA told the BBC’s program today.

The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.



He said that customers at risk are now being contacted and advised to ask their bank or credit card provider on how to manage the data breach.


“Yet, every company is a target when it comes to cyber-attacks, and there only needs to be a single vulnerability to enable a breach. While cybercriminals will always find new ways of gaining access, there are ways to reduce risk and minimize the loss of data.”






Careem, in a public statement issued on April 23, said that it “has identified a cyber incident involving unauthorized access to the system we use to store data”. The breach involved access to Careem’s data storage system for 14 million riders and 558,800 captains.




The breach affects all customers and captains who signed up with the service before January 14, 2018. Close to three out of every four users have been a victim of this breach.



On January 14 of this year, we became aware that online criminals gained access to our computer systems which hold customer and captain account data. Customers and captains who have signed up with us since that date are not affected,” stated the company on its ‘blog’ section.

IT experts and customers are now accusing the company for its neglectfulness and not reporting this incident until more than three months.


The company has also warned users to take safety measures on their own, and be vigilant over their bank account usage and credit card transactions, hinting that there could be a possibility of misuse. It has also asked users to “update” passwords and implement “good password management.”

A Cybersecurity Fiasco: Chinese Spies Plant a Microchip to Tamper US Tech-Giants’ Server



Bloomberg Businessweek reported earlier this month that Chinese spies allegedly exploited the technical supply chain of 30 major US companies, including Apple and Amazon by planting tiny microchips on motherboards used on their servers.


The malicious chips, which were not part of the original server motherboards designed by the U.S-based company Super Micro, had been inserted during the manufacturing process in China.


The chips, which Bloomberg said have been the subject of a top-secret U.S. government investigation started in 2015, would allow attackers to covertly modify these servers, bypass software security checks, gather intellectual property, trade secrets and essentially give the Chinese government a complete backdoor into these American companies’ network.


If true, this might be one of the largest corporate espionage and hardware hacking programs in the history of cybersecurity.





However, the impacted companies such as Apple and Amazon are fiercely disputing the claims. Meanwhile, Supermicro and Chinese Ministry of Foreign Affairs have also strongly denied Bloomberg’s findings by releasing lengthy statements.


Some highlights from the responses released by Apple, Supermicro and Amazon, according to a Bloomberg report are listed below:





“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”






“While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.

Furthermore, Supermicro doesn’t design or manufacture networking chips or the associated firmware and we, as well as other leading server/storage companies, procure them from the same leading networking companies.”






“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.


We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.”






These assertive statements are leading national security experts to question who exactly is telling the truth. The prospect of this kind of attack is very real, but the fact that both Bloomberg and the companies named in the story are rivaling is confusing everyone, and a sign that we are probably not done hearing about this story anytime soon.


However, If the Bloomberg story turns out to be true, Amazon and Apple would seem to be lying and invalidating a potential global security risk. Ultimately, a deeper look into this potential attack shall be conceded.

Rewterz Threat Advisory – North Korean state-funded APT38 launches financially motivated attacks worldwide

FireEye has released a report covering most bank espionages and SWIFT attacks launched by APT38 from North Korea.






PUBLISH DATE: 04-Oct-2018






A recent FireEye report covers various activities of threat actors from North Korea, tracked as APT38. APT38 seems to have been operating since 2014 and has targeted financial institutions stealing at least a $100 million from banks worldwide.



There are numerous SWIFT banking systems that have been targeted, including the hack of Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016, Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and Banco de Chile in 2018. FireEye seems to believe that it was UN economic sanctions levied against North Korea after a suite of nuclear tests carried out in 2013 that led to the rise of this state-funded hacker group.



The attacks are aimed at currency acquisition since the North Korean state is facing multiple sanctions imposed on them.






  • February 2014 – APT38 launches its first known operation
  • December 2015 – Attempted heist at TPBank
  • January 2016 – APT38 multiple international banks attacked by ATP38 consecutively
  • February 2016 – Attack on Bangladesh Bank (intrusion via SWIFT inter-banking system)
  • October 2016 – APT38 watering hole attacks orchestrated on government and media sites reported
  • March 2017 – SWIFT bans access for all North Korean banks under UN sanctions
  • September 2017 – Chinese banks restrict financial activities of North Korean individuals and entities
  • October 2017 – Heist at Far Eastern International Bank in Taiwan (ATM cash-out scheme)
  • January 2018 – Bancomext in Mexico under attempted attack
  • May 2018 – Banco de Chile gets attacked






FireEye estimates a targeted heist of over $1.1 billion by the APT38. However, roughly $100 million could be stolen.



FireEye experts wrote in their report. “The group has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, necessary permissions, and system technologies to achieve its goals.”



The group stands out due to the excessive care and precaution it takes while attacking its target. Massive evaluation of target systems is carried out before the heists are launched. To ensure perfection in the attacking techniques, the group may remain dormant for months while working on the attack strategies.





The most striking thing about the group is that they don’t leave evidence behind. In cases they weren’t able to delete specific logs from devices, they often deployed ransomware or disk-wiping malware instead.



The Hermes Ransomware: After withdrawing large amount of money from their ATMs, APT38 deployed the Hermes ransomware on the network of Far Eastern International Bank (FEIB) in Taiwan. Quite conveniently, the IT experts were diverted to data recovery actions rather than focusing on ATM monitoring systems.



KillDisk malware: After a failed attempt of stealing $110 million from Bancomext, APT38 deployed the KillDisk disk-wiping malware on its network. The same malware was deployed by APT38 on the network of Banco de Chile after a successful heist of $10 million.



Analyzing the malware’s sources, IT experts were able to link it to the North Korean hacking group. However, multiple units of North Korea’s hacking infrastructure resemble one another as they reuse malware and tools for launching attacks.



“In particular, the number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds especially if North Korea’s access to currency continues to deteriorate.” FireEye’s report says.






A successful attack can have many impacts on an organization’s assets. It may steal information and money, as well as may harm the reputation of the organization. A network attack may cause temporary or permanent loss of sensitive data, or may lead to manipulation of data, like in case of malware deployment wiping off system memory. It may also disrupt regular operations of the organization.



Further financial losses will be suffered when trying to restore systems and files, especially in cases of ransomware deployment on systems.






Geographically, targets of the APT38 do not belong to a certain area. Following map shows the major targets of APT38.





“We have observed APT38 remain within a victim network approximately 155 days, with the longest time within a compromised system believed to be 678 days (two years)” reported FireEye experts.






Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Continuous monitoring of all the activity on the network is essential to pinpoint any cyber espionage targeting an organization.

Copyright © Rewterz. All rights reserved.