Carbanak, Anunak and Unprotected Privileged Accounts

February 23, 2015 Andrey Dulkin

The financial world and the security industry have been rocked by the recent report from Kaspersky about the cyber-criminals that have stolen more than $1 Billion from global banks through cyber attacks. The initial reports link the attacks to a multinational criminal group, and highlight the use of sophisticated malware, dubbed Carbanak.

The attackers used simple techniques like phishing to trick employees into infecting their endpoints with malware. Once installed, the attackers went after the administrators in order to gain access to the machines on which financial administrators operated. On these machines, the attackers studied employee behaviors, captured keystrokes and passwords, and mimicked the banking procedures to ultimately steal money through fraudulent transactions and cash discharges at ATMs.

If this sounds familiar, it’s because these attacks seem to be closely related and probably are the same as the attacks disclosed in a December 2014 report by Fox-IT and Group-IB. We blogged about the emergence of the group at the time, and how the group targeted and exploited privileged accounts to perpetrate their attacks.

Regardless of what the group or malware is called, the recent revelations of hundreds of millions of dollars in cybercrime targeting the financial industry shows that criminal enterprises are alive and well, and continue to cultivate new cyber capabilities.

Protecting against these threats requires a shift in our mindset about cyber security – protecting your organization starts with the understanding that if your network holds something of value for a targeted attacker, then you’re likely breached, right now, or have been breached recently. This understanding is based on the fact that motivated attackers will always find a way in past perimeter defenses, mainly because they have limitless attempts to try and break through, as well as them being able to test their attack tools against any existing perimeter defense.

Once inside, attackers immediately focus on hijacking and exploiting unprotected privileged accounts (such as those of systems administrators), enabling them to move laterally across the network, gain access to critical systems, operate on sensitive assets and exfiltrate stolen data.

According to CyberArk’s recently published Cyber Threat Report, over 80 percent of all serious security incidents included a compromise and misuse of privileged accounts at some point in the attack process.

If the Carbanak and Anunak attacks teach us anything, it’s that while cyber attackers may have different motives or end goals, their pathways are usually the same: commandeer privileged accounts, escalate privileges to gain access across the network and steal critical data and assets without detection. This privileged escalation cycle is something we see time and time again, and organizations need to be prepared to prevent it and mitigate the threat of targeted attacks.

By implementing the necessary tools and infrastructure to manage, continuously monitor and track privileged account activity, along with the analytics and intelligence to identify anomalous activity, organizations can protect themselves and enable a quick detection and response, making it possible to mitigate potential damage early in the attack cycle.

Learn more about privileged account exploits and read first-hand accounts from some of the world’s top cyber forensics and incident response professionals in our Cyber Threat Report.

Previous Article
What the NIST Guidelines for Secure Shell Mean for Your Organization
What the NIST Guidelines for Secure Shell Mean for Your Organization

The National Institute of Standards and Technology (NIST) recently issued guidelines for the use of Secure ...

Next Article
Understanding Linux Security
Understanding Linux Security

Over the years, it has been interesting to watch the rise of Linux servers as the go-to operating system fo...