Security researchers discovered a new banking Trojan, Odinaff, which began targeting financial organizations in...
January 2016. Odinaff is said to require a sophisticated attacker and may be linked to the Carbanak group.
Symantec Corp. wrote in a blog post that the banking Trojan had been found mostly targeting financial institutions in various regions, including the U.S., U.K., Australia and Hong Kong. Odinaff was being used to gain backdoor access to financial systems as the "first stage of an attack." The malware provides a foothold for an attacker, and Odinaff downloads other hacking tools to allow deeper penetration onto a victim's network.
Jon DiMaggio, senior threat intelligence analyst for security response at Symantec, based in Mountain View, Calif., said it was unknown how much money might have been stolen in these attacks, "but similar attacks on banks have proven to be highly lucrative."
"One recent example is the $81 million heist from the Bangladesh central bank by attackers linked to the Lazarus group," DiMaggio told SearchSecurity. "Estimates of total losses to Carbanak-linked attacks, meanwhile, range from tens of millions to hundreds of millions of dollars. The main takeaway from this is financial attackers are growing in sophistication and need to be taken seriously."
Dick Bussiere, technical director for Tenable Network Security, based in Columbia, Md., said "despite the fact that Odinaff is human-resource-intensive, banks may be at great risk."
"This is a classic example of an effort-reward type of scenario," Bussiere told SearchSecurity. "Successful deployment of malware such as Odinaff results in huge financial rewards on the other side of the effort. Banks or regulatory regimes, which are slack at cybersecurity, are most at risk."
DiMaggio said, in addition to having similar targets, Odinaff showed connections to Carbanak by using IP addresses found in previous Carbanak campaigns, as well as Russian and Cyrillic text in the program database strings of the malware, which was notable because Carbanak allegedly originated in Russia.
"The Odinaff attackers could be part of Carbanak, but it is also possible that the two groups are only loosely affiliated," DiMaggio said. "If this is linked to the individuals behind previous Carbanak activity, this would indicate a change in tactics and shows the sophistication of the attacker. They would likely have learned from the highly publicized Lazarus-based SWIFT attacks earlier this year and derived their own version of the operation."
According to Symantec, the Odinaff banking Trojan also targeted the SWIFT messaging protocol to hide fraudulent transfers.
"The Odinaff group has mounted attacks on SWIFT users, using malware to hide customers' own records of SWIFT messages relating to fraudulent transactions. The tools used are designed to monitor customers' local message logs for keywords relating to certain transactions," Symantec wrote. "They will then move these logs out of customers' local SWIFT software environment. We have no indication that the SWIFT network was itself compromised."
SWIFT recently announced new Daily Validation Reports, which "will be provided through a separate channel to customers' payments and compliance teams" as a way to provide anomaly detection, track messaging activity and potentially catch fraud.
While DiMaggio said it was too soon to determine if these reports could mitigate attacks like Odinaff, other experts were not optimistic.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, based in Salt Lake City, told SearchSecurity attackers will learn to adapt.
"SWIFT's new Validation Reports might help stop unsophisticated attacks, but bad guys learn very quickly how to manipulate and exploit the weakest link: people. If Validation Reports depend on people to compare transactions and find fraud, they'll fail to stop the most sophisticated attacks," Bocek said. "The only way to stop the most potent and deceptive attacks is by stopping them at the point of attack."
Justin Harvey, head of security strategy at Gigamon Inc., based in Santa Clara, Calif., said the only foolproof way to detect these types of attacks is to "adopt a continuous-response methodology."
"This begins with full endpoint and network visibility, along with operating under the assumption that you've been breached. Proactive hunting measures are effective at uncovering emerging threats from the outside, as well as threats from the insider, aka insider threat," Harvey told SearchSecurity. "But, again, this all revolves around having appropriate visibility into every network transaction and what's happening on the endpoints."
Learn more about SWIFT security controls mandated for 2018.
Find out why Carbanak requires people, process and tech.
Get info on how SWIFT execs ignored security before hacks.