Here, we have a guest post from Susan Carter, Senior Manager Incident Response Services at NTT Security. 


After reading through the latest US-CERT Alert concerning the HIDDEN COBRA – FASTCash Campaign, I can’t help but feel this is yet another example of why security has to be the foundation of an organization’s computer infrastructure. 


“HIDDEN COBRA actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals”


While the exact infection vector is not known, all the compromised switches used in the attacks were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions. The actors used knowledge of the International Standards Organization (ISO) 8583 – the standard for financial transaction messaging to interpret financial request messages and constructed fraudulent financial response messages.


Most likely the attack started with a spear phishing campaign targeted to bank employees. Once a payload is delivered, the actors used Windows-based malware to explore the bank’s network, used legitimate credentials to move laterally, then found the payment switch application server. Once inside the server, the actor deploys scripts to enable fraudulent behavior by the system in response to what would be normal payment switch application server activity. In other words, the actors manipulated the system into allowing them to make fraudulent withdrawals. This enabled the actors to steal tens of millions of dollars.


Running unsupported IBM AIX was a key vulnerability to this attack and a solid patch management system would have mitigated that, but how else could an organization protect themselves from an attack like this?  There is, unfortunately, not ONE answer!


This is not a simple attack. It likely makes use of phishing, perhaps social engineering, credential theft and reuse, internal compromise, malware, customized applications, manual manipulation, and a variety of other techniques, as well as coordination on a global scale. That means, solutions to directly address such an attack are also not likely to be simple.


Organizations must therefore enforce a security culture with an investment in security tools, expertise and continued monitoring and management. A holistic approach to this mindset is necessary. For this attack, mitigation considerations should have been thought out in advance within both the supply chain risk as well as the overarching architecture. This is something that cannot be developed and implemented on the fly, especially within any organization’s legacy environments. A critical part of the holistic approach which is often overlooked, is the development and continued support of a solid incident response program.


An organization’s ability to rapidly respond to and recover from an incident begins with the development of a solid incident response capability. This plan should focus on being prepared to handle the most common types of attacks (e.g. spear phishing, malicious web content, credential theft). Incident responders are required to be “battle ready”. Knowing ahead of time what needs to be done – and how it’s going to get done – keeps the team from working under fire, feeling stressed and making mistakes.  


The more practiced and trained an organization’s incident response team is, the better off the organization will be when that ultimate compromise takes place such as the one above. Be in it to win it and conquer that beast within the network, or, wait, and unfortunately, it may conquer the organization. 


References

US-CERT Alert (TA18-275A)

GTIC-SB-201810-001 – HIDDEN COBRA (FASTCash)